Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Microsoft Confirms Two 0-Days Being Exploited Against Exchange Servers

A Vietnam-based cybersecurity company reported that cybercriminals are actively eyeing Microsoft zero-day vulnerabilities, particularly CVE-2022-41040 and CVE-2022-41082, to target MS Exchange servers. The company observed attacks exploiting these vulnerabilities.

New Attack Campaign Targeting Exchange Servers

GTSC is a Vietnamese firm that disclosed how attackers leverage previously known Microsoft Exchange vulnerabilities, allowing an authenticated attacker to execute arbitrary code, even those with low-level privilege escalation.

The campaign was discovered in early August, and its main target was critical infrastructure. The company sent the vulnerability details to the Zero-Day Initiative (ZDI), which verified the flaws.

Cybersecurity researcher Kevin Beaumont’s tweets confirmed GTSC’s story, claiming that attackers are backdooring Exchange servers and even using a honeypot. Beaumont also noted that Microsoft is probably aware of the new vulnerability. It is, however, yet to inform its customers.

Two New Flaws Identified

Research reveals that the latest attack against Exchange servers utilized at least two new flaws (CVE-2022-41040, CVE-2022-41082) that have been assigned CVSS scores of 6.3 and 8.8.

“After careful testing, we confirmed that those systems were being attacked using this 0-day vulnerability. To help the community temporarily stop the attack before an official patch from Microsoft is available, we publish this article aiming at those organizations who are using the Microsoft Exchange email system.”


The resemblance with the ProxyShell Vulnerability

The newly discovered vulnerability is suspected of resembling the ProxyShell flaw for which Microsoft released updates in May-July 2021. But, in their report, GTSC researchers noted that they checked several logs and learned that the attacker could execute commands on the targeted system. The Exchange servers’ version number showed that the latest update was installed.

This means it was impossible to exploit ProxyShell vulnerability. But, Kevin Beaumont states that it is possible if someone created an effective ProxyShell exploit and targeted unpatched Exchange servers. Hence, this activity was named ProxyNotShell by Beaumont. Conversely, GTCS believes a zero-day is involved.

Nevertheless, Microsoft has acknowledged the issue and is working on issuing security patches. The technical blog post published by Microsoft Security Response Center today is available here.

More Microsoft Security News

  1. Conti affiliates hit Exchange Servers with ProxyShell exploits
  2. Scammers Leveraging Microsoft Team GIFs in Phishing Attacks
  3. Unpatched MS Exchange Servers abused in new phishing scam
  4. Spam Attack Abusing OAuth Apps to Target MS Exchange Servers
  5. Nitrokod Crypto Miner in Fake Microsoft and Google Translate Apps

Related News

CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…
GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of…