Microsoft has confirmed two unpatched Exchange Server zero-day vulnerabilities are being exploited by cybercriminals in real-world attacks.
Vietnamese cybersecurity company GTSC, which first discovered the flaws as part of its response to a customer’s cybersecurity incident in August 2022, said the two zero-days have been used in attacks on their customers’ environments dating back to early August 2022.
Microsoft’s Security Response Center (MRSC) said in a blog post late on Thursday that the two vulnerabilities were identified as CVE-2022-41040, a server-side request forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution on a vulnerable server when PowerShell is accessible to the attacker.
“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” the technology giant confirmed.
Microsoft noted that an attacker would need authenticated access to the vulnerable Exchange Server, such as stolen credentials, to successfully exploit either of the two vulnerabilities, which impact on-premise Microsoft Exchange Server 2013, 2016 and 2019.
Microsoft hasn’t shared any further details about the attacks and declined to answer our questions. Security firm Trend Micro gave the two vulnerabilities severity ratings of 8.8 and 6.3 out of 10.
However, GTSC reports that cybercriminals chained the two vulnerabilities to create backdoors on the victim’s system and also move laterally through the compromised network. “After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim’s system,” said GTSC.
GTSC said it suspects a Chinese threat group may be responsible for the ongoing attacks because the webshell codepage uses character encoding for simplified Chinese. The attackers have also deployed the China Chopper webshell in attacks for persistent remote access, which is a backdoor commonly used by China state-sponsored hacking groups.
Security researcher Kevin Beaumont, who was among the first to discuss GTSC’s findings in a series of tweets on Thursday, said he is aware of the vulnerability being “actively exploited in the wild” and that he “can confirm significant numbers of Exchange servers have been backdoored.”
Microsoft declined to say when patches would become available, but noted in its blog post that the upcoming fix is on an “accelerated timeline.”
Until then, the company is recommending that customers follow the temporary mitigation measures shared by GTSC, which involves adding a blocking rule in IIS Manager. The company noted that Exchange Online Customers do not need to take any action at the moment because the zero-days only impact on-premise Exchange servers.