Possible Chinese Hackers Exploit Microsoft Exchange 0-DaysNo Patch Yet Available Although Exploitation Requires Authenticated Access
Hackers, possibly Chinese, are exploiting Microsoft Exchange zero-day vulnerabilities to apparently implant backdoors and steal credentials. The computing giant says it doesn't yet have a patch, telling systems administrators to instead implement workarounds.
See Also: CISO Guide to Email Platform Attacks
A fix is being coded "on an accelerated timeline," Microsoft says in a Thursday bulletin. In the meantime, it suggests blocking the ports for remote access to PowerShell. Exploitation of the zero-days requires the attacker to be already authenticated, limiting the number of potential victims.
Vietnamese cybersecurity firm GTSC first reported the exploits, which consist of two chained zero-days assigned as CVE-2022-41040 and CVE-2022-41082. They affect Microsoft Exchange Server 2013, 2016 and 2019.
The first flaw is a server-side request forgery vulnerability that allows attackers access to back-end servers that they would not have otherwise. The second flaw allows remote code execution when Remote PowerShell is activated. Attackers can exploit the first flaw to trigger the second.
GTSC says its spotted examples of hackers getting into Exchange servers via the two exploits and leaving behind obfuscated web shells for later use as a backdoor. Evidence suggesting a connection to Chinese hackers comes from those web shells, since attackers use AntSword, "an active Chinese-based open-source cross-platform website administration tool that supports web shell management," the firm says. The web shell character encoding is also in Microsoft's character set for simplified Chinese.
Hackers also download files using commands that end with the string "echo [S]&cd&echo [E]," which GTSC says is a signature of the China Chopper web shell popular among Chinese cybercriminals.
Attackers also drop malicious executable and DLLs files used to dump credentials. Anyone with on-premises Exchange servers should block Remote PowerShell ports and add a new blocking rule, Microsoft says.