Microsoft accepted that it knows about the two Exchange Server zero-day vulnerabilities that have been compromised in targeted cyberattacks. GSTC, a cybersecurity agency from Vietnam, reports finding attacks comprising two latest Microsoft Exchange zero-day vulnerabilities. It thinks that the attacks, which first surfaced in August and aimed at crucial infrastructure, were orchestrated by Chinese threat actors.
Technical details about the vulnerabilities have not been disclosed publicly yet, however, GSTC says that the attacker's exploitation activities following the attack include the installation of backdoors, deployment of Malware, and lateral movement.
Microsoft was informed about vulnerabilities through the Zero Day Initiative (ZDI), by Trend Micro. Microsoft posted a blog telling its customers that the company is looking into two reported zero-day vulnerabilities. As per Microsoft, one flaw is a server-side request forgery (SSRF) issue, identified as CVE-2022-41040 and the second flaw is an RCE (remote code execution) flaw identified as CVE-2022-41082. The security loopholes seem to affect Exchange Server 2013, 2016, and 2019.
According to Microsoft, it is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.
Microsoft is currently working on an accelerated timeline to fix the vulnerabilities. For the time being, it has given detailed guidelines to protect against the vulnerability. It believes that its products should identify post-exploitation malware and any malicious activities related to it. Microsoft Online Exchange users don't have to do anything.
"Security researcher Kevin Beaumont has named the vulnerabilities ProxyNotShell due to similarities with the old ProxyShell flaw, which has been exploited in the wild for more than a year. In fact, before Microsoft confirmed the zero-days, Beaumont believed it might just be a new and more effective variant of the ProxyShell exploit, rather than an actual new vulnerability," reports Security Week.
Google Project Zero says that in H1 2022, around half of the Zero-day vulnerabilities exploited in attacks were linked to old flaws not appropriately patched. Maddie Stone, a researcher in Google Project Zero posted a blog post continuing part of her speech at the First conference held in June 2022, her presentation is called "0-day In The Wild Exploitation in 2022...so far."
Researchers from the University of California, Santa Barbara, presented a "scalable technique" to check smart contracts and minimize state-inconsistency bugs, finding forty-seven zero-day vulnerabilities on the Ethereum blockchain during the process. Smart contracts are programs stored on the blockchain that are executed automatically when default conditions are met, depending on the encoded terms of the agreement.
We uncovered an IE 0day vulnerability has been embedded in malicious MS Office document, targeting limited users by a known APT actor.Details reported to MSRC @msftsecresponse— 360 Core Security (@360CoreSec) April 20, 2018
Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.
Image Credits: Alientvault |
Zero-Day Vulnerability found in Windows Kernel by Researchers at the Cryptography and System Security (CrySyS) Lab, as the result of Analyzing the Duqu malware. CrySys immediately reported to the Microsoft about the vulnerability.