Highlights:
- One primary constraint of these vulnerabilities is that an attacker must have authenticated access to an Exchange server to use these exploits.
- Microsoft has issued a list of remedial activities that organizations may take to safeguard their systems, notwithstanding the lack of a patch for the upgrades.
Microsoft Exchange server is a staple for businesses but is also a prime target for hackers. Last week, GTSC announced attacks have begun chaining two new zero-day Exchange flaws as part of coordinated assaults.
Though not much information is available, Microsoft verified in a blog post that a suspected state-sponsored threat actor had utilized these flaws to exfiltrate data from less than 10 businesses effectively.
The vulnerabilities impact Exchange Server 2013, 2016, and 2019. The CVE-2022-41040 is a Server-Side Request Forgery (SSRF) flaw, and CVE-2022-41082 provides remote code execution if the attacker has access to PowerShell.
When coupled with other techniques, an attacker can utilize the SSRF flag to install malicious malware to a target network remotely.
On-premises Microsoft Exchange servers: An irresistible target
Given that 65,000 businesses are using Microsoft Exchange, organizations must be prepared, potential threat actors can exploit these vulnerabilities. After all, this is not the first time that on-premises Exchange servers have been attacked.
In March of 2017, a Chinese threat actor named Hafnium exploited four zero-day vulnerabilities in on-premises versions of Exchange Server and successfully compromised at least 30,000 U.S. firms.
During these assaults, Hafnium stole user credentials to access the enterprise’s exchange servers, deployed malicious malware to acquire remote admin access, and initiated sensitive data collection.
While this unknown state-sponsored threat actor has targeted just a few businesses, Exchange is a high-value target for cybercriminals since it allows access to important information.
Travis Smith, vice president of malware threat research at Qualys, said, “Exchange is a juicy target for threat actors to exploit for two primary reasons.”
Travis Smith said, “First, Exchange is an email server, so it must be connected directly to the internet. And being directly connected to the internet creates an attack surface accessible from anywhere in the world, drastically increasing its risk of being attacked.”
One primary constraint of these vulnerabilities is that an attacker must have authenticated access to an Exchange server to use these exploits.
While this is a barrier, threat actors may easily collect login credentials – via purchasing one of the 15 billion exposed passwords on the dark web or by fooling staff into handing them over via phishing emails or social engineering assaults.
At this stage, Microsoft anticipates that there will be an uptick in activity around the threat.
How to reduce the risk
While there’s no patch available for the updates, Microsoft has issued a list of remedial activities that organizations may take to safeguard their systems.
Microsoft recommends that businesses examine and implement the URL Rewrite Instructions detailed in its Microsoft Security Response Center post and has released a script to mitigate the SSRF issue.
The tech firm also recommends the following activities for firms that use Microsoft 365 Defender:
- Enable cloud-delivered protection in Microsoft Defender Antivirus
- Enable tamper resistance
- Use the block mode for EDR
- Enable network security
- Enable fully automated inquiry and remediation
- Enable network security to restrict access to harmful sites by users and applications
Indirectly, enterprises may limit the danger of exploitation by stressing security awareness. They can also educate their employees about social engineering vulnerabilities and the significance of effective password management. This will help reduce the likelihood of a cybercriminal getting administrator access to Exchange.
Lastly, it’s maybe time for organizations to consider whether running an on-premises Exchange server is necessary.