Dive Brief:
- A single threat actor group is behind the attacks that compromised Exchange servers and chained together two zero-day vulnerabilities, Microsoft said in a blog post issued late Friday. The actor launched attacks “in fewer than 10 organizations" around the world, Microsoft confirmed.
- Microsoft researchers said the actor, which they say is state sponsored, installed Chopper web shells to gain hands-on-keyboard access, conduct Active Directory reconnaissance and exfiltrate data.
- Microsoft researchers expect additional threats and attacks once security researchers and criminal actors adopt published research into their toolkits and proof of concept code is released. No patch has been issued, but John Hammond, senior security researcher at Huntress, said Microsoft released a PowerShell script tool to automate the URL rewrite mitigation in the meantime.
Dive Insight:
The confirmations from Microsoft follow the initial reports reports from Vietnam-based GTSC, which disclosed the vulnerabilities to Trend Micro’s Zero Day Initiative so Microsoft could issue a patch.
The zero days, involving Microsoft Exchange Server 2013, 2016 and 2019, were largely unknown publicly until security researcher Kevin Beaumont retweeted the GTSC research last week. Beaumont has dubbed the zero days "ProxyNotShell."
GTSC Blueteams, while responding to a customer request, located exploit requests in IIS logs with the same format as ProxyShell vulnerabilities, according to the GTSC blog post. The company said the attacker was using Antsword, a Chinese-based open source website administration tool.
The Cybersecurity and Infrastructure Security Agency on Friday released an advisory on the vulnerabilities, CVE-2022-41040 and CVE-2022-41082. They also added them to the Known Exploited Vulnerabilities Catalog.
While Microsoft confirmed the zero days do not require authentication, researchers cautioned not to take them lightly, noting that stolen credentials are still widely available on the dark web.
“Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker,” Microsoft researchers said in the post.
Rapid7 researcher Caitlin Condon noted in a blog post that 191,000 Exchange servers were exposed to the Internet via port 443 as of early September.
Microsoft Exchange Online customers did not have to take any additional action, Microsoft previously said. However, Beaumont warned that the many customers that run Exchange hybrid servers are vulnerable. This is often used as a step for customers who don't want to fully move online.