![]() ![]() They then proceeded to deploy credential dumping malware to steal credentials from the compromised servers. ![]() In the attacks seen by GTSC across multiple customers, the attackers used the exploit to deploy web shells – backdoor scripts – masquerading as legitimate Exchange files such as RedirSuiteServiceProxy.aspx. ![]() “It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability,” Microsoft said in its advisory. The flaws affect Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019, while Microsoft Exchange Online already has detections and mitigations in place. This in turn allows remote code execution via PowerShell. The first one is a server-side request forgery (SSRF) issue that enables an authenticated attacker to trigger the second vulnerability. The new attack chain exploits two new flaws that Microsoft now tracks as CVE-2022-41040 and CVE-2022-41082. The new attack exploits two vulnerabilities After reverse engineering confirmed they were dealing with previously unknown vulnerabilities, they submitted a report to Trend Micro’s Zero Day Initiative (ZDI) program whose analysts confirmed them and shared them with Microsoft. However, the incident response team quickly realized that the compromised Exchange servers where attackers had obtained remote code execution capabilities were fully up to date, which meant this couldn’t be ProxyShell. ProxyShell is an attack that chains three Exchange vulnerabilities and was patched last year. Initially, the GTSC researchers thought they might be dealing with a ProxyShell exploit based on the malicious requests seen in the server logs which looked similar. The new vulnerabilities were discovered in early August by a Vietnamese security company called GTSC while performing security monitoring and incident response for a customer whose servers were attacked. Microsoft confirmed the flaws late last week and published mitigation advice until a complete patch can be developed, but according to reports, the proposed mitigation can be easily bypassed. Attackers are currently exploiting two unpatched vulnerabilities to remotely compromise on-premises Microsoft Exchange servers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |