0-day on Microsoft Exchange Servers

Microsoft confirmed late Thursday of the existence of two critical security vulnerabilities in the Exchange application. The two bugs are already being used by malicious users and pose a serious risk to around 220.000 servers worldwide.

bugs,

The unpatched security holes have been actively exploited since early August, when Vietnam-based security firm GTSC discovered that its customer networks were infected with malicious webshells and that the initial entry point was an Exchange vulnerability.

The mysterious exploit was almost identical to an Exchange from 2021 called ProxyShell, but client servers were patched for this vulnerability, which has been reported as CVE-2021-34473.

Eventually, researchers discovered that unknown hackers were exploiting a new Exchange vulnerability.

The GTSC post said attackers are exploiting the zero-day to infect servers with webshells, which allow them to run malicious commands. These webshells contain simplified Chinese characters, and researchers assume that the hackers are fluent in Chinese.

Η GTSC αναφέρει ότι το κακόβουλο λογισμικό που εγκαθιστούν τελικά οι hackers μιμείται την Υπηρεσία Ιστού Exchange της Microsoft και πραγματοποιεί σύνδεση με τη διεύθυνση IP 137[.]184[.]67[.]33, η οποία είναι κωδικοποιημένη στο .

Independent researcher Kevin Beaumont reported that the address hosts a fake website with a single user and has been active since August. The malware then sends and receives which are encrypted with a key s RC4 generated at command execution time. Beaumont reports that the backdoor appears to be new.

IF you run on-premises Exchange servers “you should immediately implement a blocking rule that prevents the servers from accepting known patterns s". The rule can be found at Microsoft publication.

"Currently, Microsoft also recommends that users block HTTP port 5985 and HTTPS port 5986, which attackers use to exploit CVE-2022-41082."

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
0day,zero day,0-day,Microsoft Exchange,Microsoft,Exchange,iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).