• November 28, 2022

It’s An Omnichannel Holiday: Online Stays Strong As Shoppers Return To Stores

Americans embraced in-person shopping this Black Friday weekend, returning to stores and malls in big numbers. But early results for the weekend showed that consumers’ love affair with online shopping remains …

Holiday Inflation Watch: Thanksgiving Travel & Menus Took A Hit

The holiday inflation watch continues. This time, it’s Thanksgiving and plenty of consumers are feeling ungrateful for inflation as it slashed travel plans and slimmed down portions this year. In the …

First Legal Cannabis Retail Licenses Hit New York’s Massive Market

A mere 20 years after this article’s cover photo was taken, New York State is about to welcome its first-ever legal cannabis retail dispensaries. In November, New York’s Office of Cannabis …

Microsoft confirmed on September 30 that it is investigating two zero-day vulnerabilities that impact Exchange Server 2013, 2016 and 2019. Between them, there are more than 200,000 installations in businesses worldwide. Microsoft goes on to warn that a single, likely state-sponsored, threat group has been confirmed as exploiting both vulnerabilities by chaining them together. Microsoft adds that the CVE-2022-41040 and CVE-2022-41082 chain attacks have facilitated “hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration.” While Microsoft says, it has observed these attacks against ten organizations so far, given the Exchange Server user base and the fact that the vulnerabilities are now known, the potential for further attacks is great.

The risk is significant

As such, Mike Walters, the vice-president of vulnerability and threat research at Action1, has warned that “the risk from these zero-days is significant” to many SME and enterprise companies with “vast amounts of critical data.” Security Researchers at GTSC initially disclosed that attacks were underway.

Advertisement

CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables remote code execution (RCE) via PowerShell. The former is being used to trigger the latter in a chain exploit if the attacker is authenticated at the user level in Exchange Server.

CISA advises Exchange Server users and admins to act now

Indeed, the Cybersecurity & Infrastructure Security Agency (CISA) has issued a statement urging both users and administrators to apply mitigations while awaiting an official patch from Microsoft. Microsoft is working on releasing this as soon as possible, although a timescale has not yet been given. Microsoft has further confirmed that this impacts on-premise Exchange Server installations, and Exchange Online users are unaffected by the vulnerabilities.

Microsoft has released a script for on-premise users that will mitigate the exploited SSRF vector and has released an automatic URL rewrite mitigation for users of the Exchange Server Emergency Mitigation Service.

Advertisement

Leave a Reply

Your email address will not be published.