The two new zero-day vulnerabilities in Microsoft Exchange Server – CVE-2022-41040 and CVE-2022-41082 – were detailed last week, with warnings that they could allow hackers to remotely gain access to internal services and execute remote code on networks. Now Microsoft has provided more information on how the vulnerabilities have already been used – in attacks that first started in August. In what’s described as a “small number of targeted attacks”, the CVE-2022-41040 and CVE-2022-41082 vulnerabilities were chained together to provide attackers with “hands-on-keyboard access”, which was used to perform Active Directory reconnaissance and to steal data. The victims haven’t been publicly disclosed. Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats The attacks require the attacker to be an authenticated user, but it’s possible to gain access to these credentials with phishing attacks, brute force attacks or buying stolen usernames and passwords from underground forums. While there’s currently no specific indications as to who’s behind these attacks, Microsoft’s Security Threat Intelligence Team (MSTIC) “assesses with medium confidence” that they’re the work of a single activity group connected to a state-sponsored cyber operation. Microsoft says it’s working on what it describes as an “accelerated timeline” to release a security fix for the vulnerability – although it has yet to emerge. But since the vulnerability has been publicly disclosed, it’s likely that hacking operations are already moving to take advantage of it before a patch becomes available, with Microsoft warning that “overall exploitation of these vulnerabilities will increase”. Previous Microsoft Exchange vulnerabilities were featured in a variety of cyberattacks, including state-sponsored cyber-espionage campaigns, ransomware operations and cryptojacking attacks as attackers rushed to exploit the vulnerabilities before organisations had a chance to apply the patch. The United States Cybersecurity & Infrastructure Security Agency (CISA) has also issued a warning that attackers could exploit the latest Microsoft Exchange Server vulnerabilities. While a patch is yet to become available, Microsoft has provided guidance on mitigating the threat, including the recommendation that Exchange Server customers disable remote PowerShell access for non-admin users. “CISA encourages users and administrators to review the information from Microsoft and apply the necessary mitigations until patches are made available,” said a CISA alert.
MORE ON CYBERSECURITY
Microsoft: Ransomware gangs are using unpatched Exchange servers to gain access, so get updatingCISA: Switch to Microsoft Exchange Online ‘Modern Auth’ before OctoberMicrosoft Patch Tuesday: 64 new vulnerabilities, including five critical onesWhy MFA matters: These attackers cracked admin accounts then used Exchange to send spamMicrosoft: Take these three steps to protect your systems from ransomware