Microsoft investigating alleged Exchange zero-day

Microsoft said it is looking into reports of a new zero-day vulnerability affecting Exchange servers.

South Korean cybersecurity company AhnLab published a blog post on Tuesday explaining that during their examination of a LockBit ransomware attack in July, their researchers discovered two infected servers running Windows Server 2016 Standard. 

The customer, which had 1.3 TB of data stolen from their servers, had a history of being attacked and compromised through Microsoft Exchange Server vulnerabilities as recently as December 2021.

Since then, the company performed quarterly Microsoft patches and AhnLab found no vulnerabilities related to remote commands or file creation among the bugs disclosed by Microsoft after May. 

“It is presumed that an undisclosed vulnerability exists in Microsoft Exchange Server,” the company said. “Considering that WebShell was created on July 21, it is expected that the attacker used an undisclosed zero-day vulnerability.”

According to @AhnLab_SecuInfo, there is a new Exchange 0day.
Different from GTSC’s CVE-2022-41040, CVE-2022-41082.https://t.co/01xiQdIfwl

— Tears (@SecuriTears) October 11, 2022

The researchers noted that there is a possibility that the attackers used CVE-2022-41040 and CVE-2022-41082 — two recently-discovered vulnerabilities known colloquially as “ProxyNotShell.” 

But several factors, including the attack method, the file names and the subsequent attacks indicated to AhnLab researchers that the attacker used a different zero-day vulnerability. 

"We're investigating the claims in this report and will take any action needed to help protect customers," a Microsoft spokesperson told The Record when asked about the bug. 

Phil Neray, vice president of cyber defense strategy at CardinalOps, noted that the incident described by AhnLab is fairly sophisticated and required several attack techniques. 

LockBit, he added, recently announced its new 3.0 version that has helped propel them into becoming one of the most prolific criminal ransomware groups currently operating.

“The LockBit gang is now the #1 ransomware gang worldwide, and with the new LockBit 3.0 version — also known as ‘LockBit Black’ — they're delivering advanced features such as disabling Microsoft Windows Defender to evade detection, and a bug bounty program that pays researchers to submit security reports for rewards ranging between $1,000 and $1 million,” he said. 

Microsoft faced minor backlash from security experts on Tuesday for releasing patches addressing 85 different vulnerabilities yet leaving out CVE-2022-41040 and CVE-2022-41082 – the ProxyNotShell bugs currently being exploited by state-backed groups. 

The Zero Day Initiative’s Dustin Childs told The Record that the two Exchange bugs have been actively exploited for at least two weeks. 

“These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed,” he said.