Microsoft confirmed αργά την Πέμπτη την ύπαρξη δύο κρίσιμων κενών ασφαλείας στην εφαρμογή Exchange. Τα δύο σφάλματα χρησιμοποιούνται ήδη από κακόβουλους χρήστες και αποτελούν σοβαρό κίνδυνο για περίπου 220.000 servers σε όλο τον κόσμο.
The unpatched security holes have been actively exploited since early August, when Vietnam-based security firm GTSC discovered that its customer networks were infected with malicious webshells and that the initial entry point was an Exchange vulnerability.
Το μυστηριώδες exploit ήταν σχεδόν πανομοιότυπο με ένα Exchange zero-day από το 2021 που ονομάζεται ProxyShell, αλλά οι διακομιστές των πελατών είχαν επιδιορθωθεί για αυτή την ευπάθεια, που έχει αναφερθεί σαν CVE-2021-34473.
Eventually, researchers discovered that unknown hackers were exploiting a new Exchange vulnerability.
The GTSC post said attackers are exploiting the zero-day to infect servers with webshells, which allow them to run malicious commands. These webshells contain simplified Chinese characters, and researchers assume that the hackers are fluent in Chinese.
GTSC says the malware the hackers eventually install impersonates Microsoft's Exchange Web Service and connects to the binary-encoded IP address 137[.]184[.]67[.]33.
Independent researcher Kevin Beaumont reported that the address hosts a fake website with a single user and has been active since August. The malware then sends and receives data encrypted with an RC4 encryption key generated at command runtime. Beaumont reports that the backdoor appears to be new.
IF you run on-premises Exchange servers “you should immediately implement a blocking rule that prevents the servers from accepting known attack patterns”. The rule can be found at Microsoft publication.
"Currently, Microsoft also recommends that users block HTTP port 5985 and HTTPS port 5986, which attackers use to exploit CVE-2022-41082."