4 October 2022

Microsoft Exchange server zero-day mitigation is insufficient, security researchers warn


Microsoft Exchange server zero-day mitigation is insufficient, security researchers warn

Last week, reports emerged about two unpatched zero-day vulnerabilities affecting Microsoft Exchange servers that have already been exploited in the wild.

One of the flaws (CVE-2022-41082) is a code injection issue that allows a remote user with access to PowerShell Remoting execute arbitrary code on vulnerable Exchange systems, while the second bug (CVE-2022-41040) allows a remote attacker to perform SSRF attacks. A China-linked threat group have been observed exploiting the vulnerabilities to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks.

While Microsoft has yet to release security updates to fix the bugs, collectively dubbed “ProxyNotShell,” it provided mitigations to help users prevent such attacks. The company also recommended Exchange Server customers to “disable remote PowerShell access for non-admin users” in the organization.”

However, security researchers warn that these measures can be easily bypassed.

“The URL pattern to detect/prevent the Exchange 0day provided in MSRC's blog post can easily be bypassed. The DLL can be modified by dnSpy and confirmed working well without any side-effect,” security researchers who goes online as Jang wrote in a tweet.

Cybersecurity researcher Will Dormann has agreed with Jang’s assessment and said that the '@' in Microsoft’s URL block “seems unnecessarily precise, and therefore insufficient.”

Interestingly enough, scammers are already taking advantage of the situation offering fake proof-of-concept exploits for CVE-2022-41040 and CVE-2022-41082 on GitHub for as little as $420. Security researchers spotted five now-removed accounts attempting to sell the fake exploits ('jml4da', 'TimWallbey', 'Liu Zhao Khin (0daylabin)', 'R007er', and 'spher0x.') and a scam account impersonating Kevin Beaumont (aka GossTheDog), a well-known cybersecurity researcher.

Back to the list

Latest Posts

Microsoft: Russia combines missile and cyberattacks in Ukraine

Microsoft: Russia combines missile and cyberattacks in Ukraine

In parallel with cyber threat activity Russia would likely conduct influence operations targeting Europe to undermine military and humanitarian assistance to Ukraine.
5 December 2022
Spanish police dismantle 'Black Panthers' SIM swap group

Spanish police dismantle 'Black Panthers' SIM swap group

The scammers stole about €250,000 from nearly 100 victims.
5 December 2022
Google releases emergency security update to fix Chrome zero-day bug

Google releases emergency security update to fix Chrome zero-day bug

With the new update the tech giant fixed the ninth Chrome zero-day since the start of 2022.
5 December 2022