Home
Artists
Search
Recent
Random
Posts
DMs
Tags
Random
Importer
Import
FAQ
Account
Register
Favorites
Login
ProxyNotShell Hits Exchange Servers - ThreatWire (Patreon)
Downloads
Content
About 3 weeks ago a Vietnamese cybersecurity company disclosed two security flaws to Microsoft through the Zero Day Initiative program, which impact Microsoft Exchange and are tracked as CVE-2022-41040 and CVE-2022-41082 and nicknamed ProxyNotShell. The company, GTSC, publicly disclosed the issues last week.
At the time, Microsoft confirmed the vulnerabilities exist, and awareness of targeted attacks in the wild, with attackers chaining the flaws together to hit Exchange servers with remote code execution attacks.
Microsoft also noted that threat actors had already used the two vulnerabilities to breach servers of around 10 organizations in August 2022. It could affect up to 220,000 servers around the world.
Microsoft shared mitigations for the two issues, recommending customers disable PowerShell remote access for non-admins, and blocking the known attack pattern through the IIS Manager. Alternatively, admins can run the Exchange On Premises Mitigation Tool made by Microsoft, but this also requires PowerShell 3, with admin privileges, running on IIS 7.5 or higher.
Unfortunately though, the mitigation technique can be bypassed because it only covers known attacks with a known URL pattern. Due to the mitigation being so specific in their URL block, experts found this was insufficient in protecting against the attacks and offered an updated option that can cover a broader attack surface.
Microsoft hasn’t posted an update at time of recording but the CVEs are listed as high severity since they can be used for privilege escalation and remote code execution. Both require authentication as a standard user but that could easily be done with password spraying.
LINKS:
https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html
https://thehackernews.com/2022/09/microsoft-confirms-2-new-exchange-zero.html