Cybercriminals are exploiting two new zero-day bugs in Microsoft Exchange. Three weeks ago, the researchers reported the security flaws to Microsoft privately via Zero Day Initiative.
Abuse of zero-day flaws
Researchers from GTSC have spotted the attacks taking advantage of the zero-day flaw for remote code execution. Two of these flaws are tracked as CVE-2022-41040 and CVE-2022-41082.
- The attackers have chained the zero-day flaws to drop China Chopper web shells on infected servers for persistence, data theft, and move laterally to other systems on the networks.
- The researchers claimed that a Chinese threat group is behind these recent attacks, based on the web shells' code page using a Microsoft character encoding for simplified Chinese.
- Further, a user agent employed for installing the web shells belongs to a China-based open-source website admin tool with web shell management support, identified as Antsword.
Zero Day Initiative is tracking the bugs as ZDI-CAN-18802 and ZDI-CAN-18333.
How flaws are exploited?
- Researchers disclosed that the requests used in the exploit chain are similar to those used in attacks targeting the ProxyShell flaws.
- The exploit works in two stages, where the first stage requests a similar format to the ProxyShell flaw.
- The second is the use of the link above to access a component in the backend to implement RCE.
Mitigation
Microsoft hasn’t released security updates yet to address zero-days. However, GTSC has shared temporary mitigation which can be done by adding a new IIS server rule using the URL Rewrite Rule module. Organizations are suggested to apply the temporary fix as soon as possible to stay safe.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/ab76_shutterstock_687281011.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/f5ac_shutterstock_1077996098.jpg)
