Microsoft confirms two Exchange Server zero days are being used in cyberattacks
Andrea Peterson September 30, 2022

Microsoft confirms two Exchange Server zero days are being used in cyberattacks

Andrea Peterson

September 30, 2022

Microsoft confirms two Exchange Server zero days are being used in cyberattacks

Microsoft confirmed it is investigating two zero days affecting its Exchange Server software late Thursday following a report from Vietnamese cybersecurity firm GTSC that the vulnerabilities are being exploited in the wild.

GTSC said it discovered the issues in August while doing security incident monitoring and response, then reported the issue to Microsoft’s Zero Day Initiative, which confirmed the bugs.

The attacks GTSC reported chain together the two vulnerabilities. 

One is what’s known as a server-side request forgery vulnerability, designated as CVE-2022-41040, that can allow an attacker with credentials for a user account on the mail server to gain unauthorized levels of access. The second vulnerability, identified as CVE-2022-41082, allows remote code execution similar to the 2021 ProxyShell issues that caused chaos for many companies according to GTSC, although the firm wrote it was not yet comfortable releasing the technical details. 

Remote code execution vulnerabilities are typically considered especially dangerous because they give attackers the power to make changes to victims’ systems. Email services are also key to many day-to-day operations and may contain sensitive information, making them attractive targets for attackers. 

“Exchange is a mission critical function – organizations can’t just unplug or turn off email without severely impacting their business in a negative way,” Travis Smith, Vice President of Malware Threat Research at Qualys, told The Record over email. 

GTSC shared indicators of compromise, instructions for how to mitigate until a patch is released, and links to code it created for detecting infected systems. The cybersecurity firm said it shared information about the issue and mitigation methods publicly after discovering attacks deploying the vulnerabilities being used against multiple victims.

“In addition, we are also concerned that there may be many other organizations that have been exploited but have not been discovered,“ the company wrote in a blog post.

Microsoft confirmed on Thursday that the problems affect those running Microsoft Exchange Server 2013, 2016, and 2019 on premise and are being currently exploited. The tech giant shared similar temporary mitigation and detection guidance as GSTC and said it is “working on an accelerated timeline to release a fix.”

It’s unclear who is currently exploiting the vulnerability in the wild, but GSTC’s report included several indicators suggesting that the attackers are Chinese language speakers — including the use of a Chinese open-source website administration tool Antsword and strings of code with similarities to the China Chopper malware

It’s unclear how widespread attacks exploiting the vulnerabilities have been so far. 

Microsoft’s blog noted that Microsoft Exchange Online, its cloud-based server option, is not affected, and the attackers need access to the credentials of a legitimate user on the server to exploit.

However, researcher Kevin Beaumont noted in a blog post that self-hosting mail servers via Microsoft Exchange remains popular. 

“Near a quarter of a million vulnerable Exchange servers face the internet, give or take,” he wrote, sharing data from internet-connected device search service Shodan. 

Organizations who were vulnerable to ProxyShell should be particularly vigilant, Smith said. 

“Those responsible for patching Exchange servers need to take their lessons learned on rapid remediation, as this vulnerability is likely to see increased exploitation quickly in the coming days,” he said.

Jonathan Greig contributed reporting for this story. 

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.