Microsoft developers have confirmed that hackers are actively exploiting two recently discovered Zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016 and 2019.
Specialists from the Vietnamese company GTSC were first to report fresh problems and hacker attacks. According to them, attackers use Zero-day to deploy China Chopper web shells on compromised servers to gain a foothold in the system, steal data, and also organize lateral movement in the networks of victims.Let me remind you that we also wrote that New vulnerabilities in Microsoft Exchange have already affected tens of thousands of organizations, and also that Microsoft urges Exchange Server admins to fix a wild-exploited bug.
According to GTSC, Chinese hackers may be behind these attacks, as the code contains characters in simplified Chinese, and the attackers use the Chinese open-source tool Antsword to manage web shells.
The researchers reported the vulnerabilities three weeks ago through the Zero Day Initiative, where the issues were assigned the IDs ZDI-CAN-18333 and ZDI-CAN-18802.
Although GTSC has released few details about the new vulnerabilities, researchers have reported that the queries used in this exploit chain are similar to those used in attacks targeting the ProxyShell issue. According to them, the exploit works in two stages:
- ProxyShell-like queries in the format: autodiscover/autodiscover.json?@evil.com/
&Email=autodiscover/autodiscover.json%3f@evil.com. - using this link to access a component in the backend where an RCE can be implemented.
Shortly after the warning from GTSC, Microsoft confirmed the existence of two -days in Exchange.
Microsoft emphasized that only authorized attackers can exploit the CVE-2022-41040 vulnerability, after which they can move on to the CVE-2022-41082 issue and arbitrary code execution.
Instead of patches, Microsoft is currently proposing to block open Remote PowerShell ports and apply specific instructions for URL Rewrite. Detailed protection instructions are already available on the company blog.
Well-known information security expert Kevin Beaumont called these vulnerabilities ProxyNotShell (because of the similarity to the old ProxyShell vulnerability). Prior to Microsoft’s official announcement, the specialist assumed that the attackers could simply find a new and more effective version of the exploit for ProxyShell, and this is not a full-fledged new problem.
Even now that it has become clear that the vulnerabilities are “real”, other researchers still believe that the bugs may be related to the fact that Microsoft has not completely gotten rid of the ProxyShell problem.