Security News

Microsoft has shared mitigations for two new Microsoft Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, but researchers warn that the mitigation for on-premise servers is far from enough. Threat actors are already chaining both of these zero-day bugs in active attacks to breach Microsoft Exchange servers and achieve remote code execution.

CVE-2022-41040 and CVE-2022-41082, the two exploited MS Exchange zero-days that still have no official fix, have been added to CISA's Known Exploited Vulnerabilities Catalog. Mitigating the risk of exploitation until patches are ready will require patience and doggedness, as Microsoft is still revising its advice to admins and network defenders, and still working on the patches.

Introducing the book: Project Zero TrustIn this Help Net Security video interview, George Finney, CSO at Southern Methodist University, talks about his latest book - "Project Zero Trust: A Story about a Strategy for Aligning Security and the Business". How the CIO's relationship to IT security is changingIn this Help Net Security video, Joe Leonard, CTO at GuidePoint Security, illustrates how the role of the CIO is changing as cybersecurity priorities and responsibilities are creeping into the job description.

You need a password, but finding one email address and password combination valid at any given Exchange server is probably not too difficult, unfortunately. There are a surprising number of people who switched to the cloud, possibly several years ago, who were running both their on-premises and their cloud service at the same time during the changeover, who never got round to turning off the on-premises Exchange server.

Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally. "These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration," the Microsoft Threat Intelligence Center said in a Friday report.

Just having your Exchange server accessible to email users over the internet is not enough on its own to expose you to attack, because so-called unauthenticated invocation of these bugs is not possible. According to Microsoft, blocking TCP ports 5985 and 5986 on your Exchange server will limit attackers from chaining from the first vulnerability to the second.

Attackers are leveraging two zero-day vulnerabilities to breach Microsoft Exchange servers."At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities."

Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation. "The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution when PowerShell is accessible to the attacker," the tech giant said.

Microsoft has confirmed that two recently reported zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 are being exploited in the wild. "At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems."

Security researchers are warning of previously undisclosed flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems."We detected webshells, mostly obfuscated, being dropped to Exchange servers," the company noted.