Các bài viết liên quan:
On Friday, Microsoft revealed that a single operations group in August 2022 gained initial access and breached Exchange servers by chaining two newly disclosed zero-day vulnerabilities in a limited series of attacks against less than 10 organizations globally.
“These attacks installed the Chopper web shell to facilitate keyboard access, which attackers use to perform Active Directory reconnaissance and data theft,” Microsoft Threat Intelligence Center (MSTIC) said in a report Friday.
Microsoft further warned that the weaponization of security vulnerabilities will increase in the coming days, as malicious actors coordinate exploits into their toolkit, including deployments. ransomwaredue to the “high-access Exchange system given to the attacker.”
The tech giant attributed the ongoing attacks with average confidence to a state-sponsored organization, adding that it investigated the attacks when the Zero Day Initiative was launched. disclosed the vulnerabilities to the Microsoft Security Response Center (MSRC) earlier this month on September 8-9, 2022.
The two vulnerabilities are collectively known as ProxyNotShelldue to the fact that “it is the same path and SSRF/RCE pair” as ProxyShell but with authentication, a copy is proposed. patch Incomplete.
Issues, chained together to achieve remote code execution, are listed below:
CVE-2022-41040 – Request server-side security vulnerability Microsoft Exchange Server
CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution Vulnerability
“Although these vulnerabilities require authentication, the authentication required to exploit could be that of a standard user,” Microsoft said. “Standard user credentials can be obtained through a variety of attacks, such as password spraying or purchasing through the cybercrime economy.”
These vulnerabilities were first discovered by Vietnamese cybersecurity company GTSC as part of an incident response effort for a customer in August 2022. A Chinese threat actor is suspected of being behind the attacks. intrusion.
This development comes as the U.S. Cybersecurity and Infrastructure Agency (CISA) has added two Microsoft Exchange Server zero-day vulnerabilities to the Known Exploited Vulnerabilities (KEV) category. requires federal agencies to apply patches by October 21, 2022.
Microsoft says it’s working on an “accelerated timeline” to come up with a fix for the omissions. It also published a script for the following URL Rewrite mitigation steps, which it claims is “successful in breaking current attack chains” –
Open IIS Manager Select Default Site In Features View, click URL Rewrite In the Actions pane on the right side, click Add Rule(s)… Select Request Blocking and click OK Add String” . * Autodiscover \ .json. * ‘. * Powershell. * And click Edit under Condition. Change the Condition input from {URL} to {REQUEST_URI}
As additional precautions, the company is urging companies to enforce multi-factor authentication (MFA), disable legacy authentication, and educate users about not accepting two-factor authentication prompts. element (2FA) is undesirable.
Travis Smith, vice president of malware threat research at Qualys, told The Hacker News: “Microsoft Exchange is a delicious target for threat actors to exploit for two main reasons.
“First, Exchange […] Being directly connected to the internet creates an attack surface that is accessible from anywhere in the world, greatly increasing the risk of being attacked. Second, Exchange is a mission-critical function – organizations cannot simply pull out or shut down email without severely impacting their business in a negative way. “
