Microsoft has recently addressed two critical zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082, affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. These vulnerabilities were actively exploited in targeted attacks, prompting an immediate response from the tech giant to mitigate potential risks to organizations worldwide.
Key Highlights:
- Two zero-day vulnerabilities, CVE-2022-41040 (Server-Side Request Forgery) and CVE-2022-41082 (Remote Code Execution), were identified and patches were released on November 8, 2022.
- These vulnerabilities require authenticated access for exploitation, with CVE-2022-41040 enabling remote triggering of CVE-2022-41082 under certain conditions.
- Microsoft strongly recommends updating affected systems immediately, as previous mitigation options are deemed obsolete with the release of these updates.
- The vulnerabilities were discovered by Vietnamese cybersecurity firm GTSC, highlighting the global impact and collaborative effort in cybersecurity threat intelligence.
- Fewer than 10 organizations globally have been targeted, likely by a state-sponsored organization, with signs pointing to a Chinese threat group utilizing these vulnerabilities.
The vulnerabilities, CVE-2022-41040 and CVE-2022-41082, necessitate authenticated access for exploitation, indicating a higher barrier for attackers but not completely diminishing the threat. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, and CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Microsoft’s swift action to release security updates underscores the severity of these vulnerabilities and the importance of prompt patching by organizations.
The discovery of these vulnerabilities and the subsequent targeted attacks were initially identified by GTSC, a Vietnamese cybersecurity firm, which reported the ongoing exploitation activities. These vulnerabilities were exploited in a manner similar to previous attacks, using tools like China Chopper web shells for persistence and lateral movement within compromised networks. The indication that a Chinese threat group could be behind these attacks adds a layer of complexity and urgency to the cybersecurity landscape.
To mitigate the risks associated with these vulnerabilities, Microsoft has provided detailed guidance, including the urgent application of the provided patches. Additionally, specific mitigations such as disabling remote PowerShell access for non-admin users were recommended to further secure the affected systems. Exchange Online customers, however, are not required to take any actions due to existing protections and mitigations deployed by Microsoft.
Microsoft emphasizes that Exchange Online customers are not affected and encourages immediate update application for on-premises Exchange Servers. Prior to the update release, Microsoft had recommended specific mitigations, such as URL Rewrite rule and disabling remote PowerShell access for non-admins, which are now superseded by the security updates.
In the context of cybersecurity and digital infrastructure, the discovery and exploitation of zero-day vulnerabilities such as CVE-2022-41040 and CVE-2022-41082 highlight the ongoing challenges faced by organizations globally. The collaborative efforts between cybersecurity firms and entities like Microsoft in identifying and mitigating these threats are crucial in protecting sensitive information and maintaining the integrity of critical infrastructure.
The incident serves as a stark reminder of the importance of timely updates and cybersecurity hygiene to defend against sophisticated attacks. As attackers continue to evolve their techniques, the collective vigilance and proactive measures by the cybersecurity community and affected organizations remain paramount in the battle against cyber threats.
