MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
exchange
Search

High-Severity Microsoft Exchange 0-Day Under Attack Threatens 220,000 Servers

Saturday October 1, 2022. 03:00 PM , from Slashdot
An anonymous reader quotes a report from Ars Technica: Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers' servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

Wednesday's GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People's Republic of China. GTSC went on to say that the malware the threat actors eventually install emulates Microsoft's Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August. The malware then sends and receives data that's encrypted with an RC4 encryption key that's generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild. People running on-premises Exchange servers 'should apply a blocking rule that prevents servers from accepting known attack patterns,' reports Ars. The rule can be found in Microsoft's advisory.

'For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082.'

Read more of this story at Slashdot.
https://it.slashdot.org/story/22/10/01/0037240/high-severity-microsoft-exchange-0-day-under-attack-t...
News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Current Date
Mar, Thu 28 - 11:33 CET