Microsoft has recently notified its users that two-day vulnerabilities in its Exchange Server are being exploited by Chinese threat actors and have recommended a number of mitigations users can take to secure their data while the company develops patches to rectify the vulnerabilities. While the attacks made by the threat actors have been restricted, Microsoft does advise that the attackers may soon target the health sector. In several of the attacks, the attackers used the China Chopper web shell for permanent access, which indicates that a Chinese hacker outfit with governmental backing is making use of the security vulnerabilities.
The vulnerabilities have been found in the 2013, 2016, and 2019 versions of the Microsoft Exchange Server. The vulnerability, known as CVE-2022-41040, is a Server-Side Request Forgery vulnerability that can be used to gain access, after which CVE-2022-41082 (Remote Code Execution vulnerability) can be used to compromise the system. The second flaw can only be used by an attacker who has access to PowerShell. Microsoft has ensured that an unauthenticated attacker cannot exploit the vulnerabilities. Both flaws need authenticated access to a susceptible Microsoft Exchange Server, where an attacker had legitimately obtained credentials, in order to be exploited. The severity score for the first vulnerability is 8.8 out of 10, while the score for the second vulnerability is 6.3. A threat actor might install a backdoor for permanent access if the weaknesses are exploited.
Microsoft has maintained that they are currently developing patches for the vulnerabilities and has recommended several mitigations users can utilize to protect the confidentiality of their data. However, according to Microsoft, users of Microsoft Exchange Online are not required to to take any action to stop the exploitation of the vulnerabilities, as Microsoft has already implemented mitigations to protect customers. Despite this, users with in-site Microsoft Exchange servers are susceptible to the attacks. Microsoft suggests these users implement a blocking rule to hinder known attack patterns. However, concerns have been raised by cybersecurity experts who assert that the mitigations made by Microsoft are insufficient.According to researchers at GTSC, the suggested mitigations are insufficient and will not prevent the exploitation of the vulnerabilities.