Microsoft Confirms Zero-Day Attacks on Exchange Server 2013, 2016, and 2019

Microsoft confirmed that its Microsoft Exchange Server 2013, 2016, and 2019 were breached in two zero-day attacks recently. Microsoft identified vulnerability CVE-2022-41040 (Server-Side Request Forgery – SSRF) and vulnerability CVE-2022-41082 (remote code execution – RCE) as the two vulnerabilities exploited by the attackers to breach the Exchange Servers.

A Vietnamese cybersecurity firm, GTSC, first alerted Microsoft to the attacks and the latter company agreed that this was true after due investigations. GTSC said the hackers might be Chinese because the web shells in the code page revealed a Microsoft character for encoding the simplified Chinese language.

Also, the Chinese group behind the attack manipulates the web shells using the Antsword Chinese open-source website admin tool to access compromised servers. GTSC notified Microsoft that the hackers used the zero-day attacks through the Chinese Chopper web shells which are actually backdoor vulnerabilities usually used by China-sponsored hackers.

Microsoft disclosed that the hackers could only exploit the CVE-2022-41082 RCE vulnerability after successfully accessing the CVE-2022-41040 flaw – a feat that can only be carried out by authenticated attackers who may have stolen user credentials. The company said Exchange customers did not need to do anything in the face of the attacks because there are detection and mitigation protocols in place to protect them.

“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” the company stated. “Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. We are working on an accelerated timeline to release a fix.”

Although Microsoft indicated that it is working fast to release a patch to fix the vulnerabilities and prevent further attacks – security firm Trend Micro rated the severity of the two vulnerabilities as 8.8 and 6.3 out of 10. GTSC said hackers combined the two vulnerabilities to create backdoors into victims’ systems to access and exploit compromised networks.

“After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim’s system,” said GTSC.

Given that new security patches are not available just yet, Microsoft and GTSC agreed that customers can implement the following mitigation steps to protect themselves in the interim.

“On-premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports,” Microsoft stated. “The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”