Two zero-day vulnerabilities in Microsoft Exchange Server are being exploited in the wild, nearly two years after similar attacks on the email server software affected a broad range of organizations.
In a blog post Thursday night, Microsoft confirmed it was investigating reported Exchange Server vulnerabilities and was "aware of limited targeted attacks." While the software giant is still working on security patches for the zero days, it did provide mitigation steps for on-premises customers.
The server-side-request forgery flaw (SSRF) is being tracked as CVE-2022-41040 and the remote code execution (RCE) vulnerability was assigned CVE-2022-41082. Similar to ProxyShell vulnerabilities in Exchange Server disclosed last year, attackers are chaining the vulnerabilities to access users' systems, though they only affect Microsoft Exchange Servers 2013, 2016 and 2019.
"In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities," the Microsoft Security Response Center wrote in the blog post.
Additionally, Microsoft said successful attacks require PowerShell access.
While no patch is currently available, Microsoft is urging customers to apply URL Rewrite instructions that block the exploitation chain and to block exposed remote PowerShell ports. Blocking those ports can prevent authenticated attackers who can access PowerShell from triggering the RCE flaw, according to the blog.
UPDATE 11/8: Microsoft patched the two vulnerabilities in its November Patch Tuesday release.
TechTarget Editorial asked Microsoft for additional comment, but the company declined and referred to the blog post.
Even when a fix becomes available, problems with Exchange Servers in the past showed organizations are slow to patch, which can cause dire consequences.
Vietnamese cybersecurity company GTSC first observed the flaw last month while conducting incident response services. Once researchers discovered the flaw was critical due to its RCE nature, GTSC submitted it to the Zero Day Initiative (ZDI), which classified it as two distinct CVEs, with CVSS scores of 6.6 and 8.8.
GTSC reported the flaws to ZDI on Sept. 8, prior to the current zero-day attacks. However, the cybersecurity company published the information in a blog post Thursday after detecting exploitation activity in the wild against customers.
The timeline shares similarities to ProxyLogon, another set of four vulnerabilities that affected Exchange servers last year. The flaws enabled threat actors to access email accounts and, more significantly, maintain a prolonged presence on victim environments through backdoors.
In both cases, exploitation started after the vulnerabilities were reported but before they were publicly disclosed and patched. In the case of ProxyLogon, threat actors, including a Chinese nation-state group known as Hafnium, used the zero-day vulnerabilities for attacks on a multitude of organizations before Microsoft released security patches. Numbers showed up to 60,000 or more Exchange Servers may have been vulnerable.
Additionally, Chinese threat actors have been linked to the current zero days as well. GTSC said it followed a trail of mostly obfuscated web shells to AntSword, "an active Chinese-based open source cross-platform website administration tool," which led to further analysis.
"We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese," GTSC wrote in its blog post.
Independent security researcher Kevin Beaumont, shared more similarities on Twitter and in a blog post Thursday where he referred to the flaws as "ProxyNotShell." He confirmed that "significant numbers of Exchange servers have been backdoored -- including a honeypot." Beaumont also highlighted several ProxyShell comparisons, including the path and the same SSRF/RCE chain, except that a user must be authenticated to exploit the most recent flaws.
Another commonality he discovered was the request string, which mirrors ProxyShell from 2021. "It appears the ProxyShell patches from early 2021 did not fix the issue," Beaumont wrote in the blog, adding that the mitigation for the current zero days is the same as the ProxyShell PowerShell RCE issue.
Additionally, he questioned Microsoft's mitigation, which stated that Exchange Online customers don't need to take any action. "Even if you're Exchange Online, if you migrated and kept a hybrid server (a requirement until very recently) you are impacted," Beaumont wrote on Twitter.