0-day on Microsoft Exchange Servers

Microsoft confirmed late Thursday of the existence of two critical security vulnerabilities in the Exchange application. The two bugs are already being used by malicious users and pose a serious risk to around 220.000 servers worldwide.


The unpatched security holes have been actively exploited since early August, when Vietnam-based security firm GTSC discovered that its customer networks were infected with malicious webshells and that the initial entry point was an Exchange vulnerability.

The mysterious exploit was almost identical to an Exchange zero-day from 2021 called ProxyShell, but the clients' servers had been patched for this vulnerability, which has been reported as CVE-2021-34473.

Eventually, researchers discovered that unknown hackers were exploiting a new Exchange vulnerability.

The GTSC post said attackers are exploiting the zero-day to infect servers with webshells, which allow them to run malicious commands. These webshells contain simplified Chinese characters, and researchers assume that the hackers are fluent in Chinese.

GTSC says the malware the hackers eventually install impersonates Microsoft's Exchange Web Service and connects to the binary-encoded IP address 137[.]184[.]67[.]33.

Independent researcher Kevin Beaumont reported that the address hosts a fake website with a single user and has been active since August. The malware then sends and receives data encrypted with an RC4 encryption key generated at command runtime. Beaumont reports that the backdoor appears to be new.

IF you run on-premises Exchange servers “you should immediately implement a blocking rule that prevents the servers from accepting known attack patterns”. The rule can be found at Microsoft publication.

"Currently, Microsoft also recommends that users block HTTP port 5985 and HTTPS port 5986, which attackers use to exploit CVE-2022-41082."

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.097 registrants.
0day,zero day,0-day,Microsoft Exchange,Microsoft,Exchange,iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).