Home Security State-Sponsored Hackers Probably Exploited MS Trade 0-Days Towards ~10 Organizations

State-Sponsored Hackers Probably Exploited MS Trade 0-Days Towards ~10 Organizations

by crpt os


Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally.

“These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,” the Microsoft Threat Intelligence Center (MSTIC) said in a Friday report.

The weaponization of the vulnerabilities is expected to ramp up in the coming days, Microsoft further warned, as malicious actors co-opt the exploits into their toolkits, including deploying ransomware, due to the “highly privileged access Exchange systems confer onto an attacker.”

The tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding it was already investigating these attacks when the Zero Day Initiative disclosed the flaws to Microsoft Security Response Center (MSRC) earlier this month on September 8-9, 2022.

CyberSecurity

The two vulnerabilities have been collectively dubbed ProxyNotShell, owing to the fact that “it is the same path and SSRF/RCE pair” as ProxyShell but with authentication, suggesting an incomplete patch.

The issues, which are strung together to achieve remote code execution, are listed below –

  • CVE-2022-41040 – Microsoft Exchange Server Server-Side Request Forgery Vulnerability
  • CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution Vulnerability

“While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user,” Microsoft said. “Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.”

The vulnerabilities were first discovered by Vietnamese cybersecurity company GTSC as part of its incident response efforts for a customer in August 2022. A Chinese threat actor is suspected to be behind the intrusions.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two Microsoft Exchange Server zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by October 21, 2022.

CyberSecurity

Microsoft said that it’s working on an “accelerated timeline” to release a fix for the shortcomings. It has also published a script for the following URL Rewrite mitigation steps that it said is “successful in breaking current attack chains” –

  • Open IIS Manager
  • Select Default Web Site
  • In the Feature View, click URL Rewrite
  • In the Actions pane on the right-hand side, click Add Rule(s)…
  • Select Request Blocking and click OK
  • Add the string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes)
  • Select Regular Expression under Using
  • Select Abort Request under How to block and then click OK
  • Expand the rule and select the rule with the pattern .*autodiscover\.json.*\@.*Powershell.* and click Edit under Conditions.
  • Change the Condition input from {URL} to {REQUEST_URI}

As additional prevention measures, the company is urging companies to enforce multi-factor authentication (MFA), disable legacy authentication, and educate users about not accepting unexpected two-factor authentication (2FA) prompts.

“Microsoft Exchange is a juicy target for threat actors to exploit for two primary reasons,” Travis Smith, vice president of malware threat research at Qualys, told The Hacker News.

“First, Exchange […] being directly connected to the internet creates an attack surface which is accessible from anywhere in the world, drastically increasing its risk of being attacked. Secondly, Exchange is a mission critical function — organizations can’t just unplug or turn off email without severely impacting their business in a negative way.”





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex