Friday, April 25, 2025
HomeCyber AttackState-Sponsored Hackers Used MS Exchange 0-Day Bugs to Attack At least 10...

State-Sponsored Hackers Used MS Exchange 0-Day Bugs to Attack At least 10 Orgs

Published on

SIEM as a Service

Follow Us on Google News

In August 2022, hackers launched a limited wave of attacks that targeted at least 10 organizations around the world. 

There are two newly disclosed zero-day vulnerabilities being exploited by the hackers in these attacks in order to gain access to and compromise Exchange servers in these attacks.

Chopper web shell was installed during these attacks in order to make hands-on keyboard access more convenient. Attackers utilize this technique to gain access to Active Directory in order to perform reconnaissance and exfiltration of data.

- Advertisement - Google News

As a result of these wild exploits, it is likely that these vulnerabilities will be weaponized further in the coming days due to the growing trend toward weaponizing them.

0-Day Flaws Exploited

Here below we have mentioned the two 0-Day flaws exploited by the hackers in the wild to attack 10 organizations:-

  • CVE-2022-41040: Microsoft Exchange Server Elevation of Privilege Vulnerability with CVSS score: 8.8.
  • CVE-2022-41082: Microsoft Exchange Server Remote Code Execution Vulnerability with CVSS score: 8.8.

The combination of these two zero-day vulnerabilities together has been named “ProxyNotShell.” The exploitation of these vulnerabilities is possible by using a standard account with a standard authentication process.

In many different ways, it is possible to acquire the credentials of standard users. While the GTSC, a Vietnamese cybersecurity company, was the first to discover the vulnerabilities that have been exploited.

It is suspected that these intrusions were carried out by a Chinese threat actor.

Mitigation

No action is required on the part of Microsoft Exchange Online customers. Microsoft recommended reviewing the URL Rewriting Instructions for Microsoft Exchange customers using on-premises Exchange and also recommended users implement them immediately.

If you are a Microsoft Exchange Server user using Microsoft 365 Defender, then you have to follow the following checklist provided by Microsoft:-

  • Enable cloud-based protection in Microsoft Defender Antivirus.
  • Protect security services from being interrupted by attackers by enabling tamper protection.
  • Microsoft Defender for Endpoint can detect malicious artifacts when EDR is operating in block mode.
  • Protect the Internet network from malicious domains and other malicious content by enabling network protection.
  • Enable full automation for investigation and remediation. By doing so Microsoft Defender for Endpoint can be notified of breaches immediately, allowing it to take immediate action.
  • Discovering your network’s devices will allow you to have greater visibility into what’s going on.

While as additional prevention measures they also recommended users to:-

  • Enable multi-factor authentication (MFA)
  • Legacy authentication must be disabled
  • Do not accept suspicious or unknown 2FA prompts
  • Make sure to use complex passwords
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

DragonForce and Anubis Ransomware Gangs Launch New Affiliate Programs

Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce...

“Power Parasites” Phishing Campaign Targets Energy Firms and Major Brands

Silent Push Threat Analysts have uncovered a widespread phishing and scam operation dubbed "Power...

Threat Actors Register Over 26,000 Domains Imitating Brands to Deceive Users

Researchers from Unit 42 have uncovered a massive wave of SMS phishing, or "smishing,"...

Russian Hackers Attempt to Sabotage Digital Control Systems of Dutch Public Service

The Dutch Defense Ministry has revealed that critical infrastructure, democratic processes, and North Sea...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

DragonForce and Anubis Ransomware Gangs Launch New Affiliate Programs

Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce...

“Power Parasites” Phishing Campaign Targets Energy Firms and Major Brands

Silent Push Threat Analysts have uncovered a widespread phishing and scam operation dubbed "Power...

Threat Actors Register Over 26,000 Domains Imitating Brands to Deceive Users

Researchers from Unit 42 have uncovered a massive wave of SMS phishing, or "smishing,"...