Microsoft Exchange zero day vulnerabilities perform data exfiltration, reconnaissance

Microsoft confirmed last week that two vulnerabilities are being exploited against on-premises Exchange servers. One is referred to as a server-side request forgery vulnerability—CVE-2022-41040—that can allow a hacker with credentials for a user account on the mail server to gain unauthorized levels of access. The second vulnerability—CVE-2022-41082—allows remote code execution similar to the 2021 ProxyShell issues.

A single threat group is behind the attacks that have compromised Exchange servers in the wild, which Microsoft claims is limited to “fewer than 10 organizations around the world.” The threat group is a state-sponsored group, capable of conducting Active Directory reconnaissance and data exfiltration once compromised.

The zero day vulnerabilities affect Exchange Server 2013, 2016 and 2019. They were largely unknown until Vietnam-based GTSC disclosed the vulnerabilities to Trend Micro’s Zero Day Initiative so Microsoft could mitigate them.

Microsoft has confirmed that it is working on remediation techniques for the vulnerabilities, but after more than a week, has struggled to contain the outbreak. Despite providing mitigation steps to protect customers against attacks, researchers have been able to successfully bypass the suggested changes—keeping customers at risk.

Microsoft is trying to establish root cause and develop a full patch to remediate, however this will take time, Erik Nost, senior analyst at Forrester commented.

Microsoft on Thursday, Oct. 6th, posted an update to Exchange On-Premises Migration Tool (EOMTv2) rule, which asks customers to remove an extra space in the remediation script.

Microsoft has communicated through an outside firm that it will post additional remediation techniques as they are discovered while they await a full patch.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.