Microsoft offered confirmation that its Exchange Server is being exploited due to two vulnerabilities to do with zero-day. Cybercriminals are exploiting these unpatched vulnerabilities. This was first discovered by a Vietnamese company – GTSC, which works in the area of cybersecurity.
The exploitation was first uncovered when the company’s customers reported issues related to attacks on their environments. This happened in August 2022. Microsoft did mention the discovery of these two vulnerabilities – one on the server side 2022-41040, and the other on the server 2022-41082. The latter allows code to be executed via the PowerShell which is easily accessed by the attacker.
As of now, Microsoft is aware only of these two issues which allow criminals to get into a company’s system. Microsoft also said that attackers would need access that is authenticated to get to the Exchange Server. Access could be in the form of misappropriated credentials which allow the vulnerabilities to be exploited. MES versions that are vulnerable include the following versions – 2013, 2016 as well as 2019.
Microsoft did not release details on the attacks and the severity ratings are as high as 8.8 out of 10. According to GTSC, cybercriminals used the vulnerabilities to set up backdoor access to the victim system. They were able to collect sensitive information and also gain a foothold in the vulnerable company’s system.
GTSC thinks that it could be a Chinese group that is exploiting these vulnerabilities because the codepage tied to the webshell uses characters used in Simplified Chinese. The attacks also used the Chopper webshells which is quite commonly used by Chinese hackers. Microsoft had no information or updates on when patches for these vulnerabilities would be available but that they are working on it. Until the patch is made available, Microsoft recommends using measures proposed and shared by GTSC to stay safe.