Microsoft Exchange, 200,000 servers at risk of hacking | New mitigating agents

Microsoft Exchange servers located all over the world do not seem to be experiencing one of the best moments, a major hacker attack has been in progress for several days. The goal will be to deploy an encrypted remote-controlled backdoor by exploiting two new vulnerabilities. The company is under fire again after the events of last spring, when the $ Lapsus group managed to break into Redmond’s computer systems.

This time to bear the consequences will be More than 200,000 servers and perpetrators can be ChineseBut there is no responsibility in this. In fact, the attackers are still unknown, and the zero-day flaw was first discovered by the Vietnamese security company GTSC, whose researchers discovered malicious web shells on client networks related to a vulnerability in the Exchange program.

Similarities were initially found to the well-known Zero-Day 2021 ProxyShell (CVE-2021-34473), but upon further investigation, researchers found that its origin remains unknown. Microsoft later joined the group by confirming GTSC analysis and highlighting two new flaws in the company’s popular postal platform: CVE-2022-41040, a server-side spoofing vulnerability, and CVE-2022-41082, which allows remote code execution through PowerShell .

Microsoft has recorded limited activity regarding targeted attacks based on zero-day flaws. Attackers exploit CVE-2022-41040 to remotely activate CVE-2022-41082, although Redmond maintains that a successful hack requires at least one valid email user credentials on the affected server.

October 03

Apple News Sends Obscene Push Notifications: A Sensational Hacker Attack on Fast Company

September 28

As mentioned at the beginning, more than 200,000 Exchange servers may be vulnerable to new attacks, along with thousands more in hybrid configurations. Threats will only affect the on-premises versions of the Exchange server, while those hosted on the Microsoft cloud platform should be secure.

The Chinese hypothesis is derived from the fact that Web shells found by GTSC researchers on compromised servers contain simplified Chinese charactersTherefore, the hypothesis that there are government-sponsored hackers has emerged, but we are clearly firm on the level of the hypothesis.

The risk is very high and Microsoft is working hard to develop a patch that will allow the defects to be closed as soon as possible, however, pending a solution, there are tips for Exchange customers. The goal is to mitigate any intrusions and to do this we recommend blocking Internet traffic over HTTP port 5985 and HTTPS port 5986. Microsoft finally determines that Exchange Online customers do not need to take any actionAs these attacks do not affect them.

Update: New Mitigation Measures from MICROSOFT

Microsoft has updated mitigations for the latest Exchange vulnerabilities discovered as CVE-2022-41040 and CVE-2022-41082, also referred to as ProxyNotShell. The initial recommendations were insufficient as the researchers showed that they could be easily bypassed to allow new attacks that exploit the two bugs. Microsoft announced Tuesday that it had updated its alerts with an improved URL rewriting rule, and advised Exchange Server customers to review it and adopt one of the available mitigation options.

Customers with Exchange Emergency Mitigation Service (EEMS) enabled automatically benefit from the Exchange Server 2016 and Exchange Server 2019 URL rewrite mitigation update.

The EOMTv2 script (version now includes an improved URL rewriting rule. It updates automatically on devices connected to the Internet and should run again on any Exchange server without EEMS enabled. The third option is to manually delete the previously created rule and add the enhanced rule by following the instructions below:

  • Open IIS Manager
  • Select “Default Web Site”
  • In the features view, click on “Retype URL”
  • In the Action Pane on the right side, click on Add Rules
  • Select Request Blocking and click OK
  • Add the string “. * Autodiscover \ .json. * Powershell. *” (excluding the quotes).
  • Select “Regular expression in use”.
  • Select “Cancel the request on how to block” and click OK.
  • Expand the rule and define the rule with the style:. * Autodiscover \ .json. * Powershell. * and click Edit under Conditions.
  • Change entry of Condition from {URL} to {REQUEST_URI}

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button