There have been updates published by Microsoft to address two severe zero-day vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell. These vulnerabilities have already been exploited and will continue to be exploited.
There is evidence that attackers have been chaining the two security flaws together to deploy Chinese Chopper web shells on compromised servers. As a result, they have been able to persist, steal data, as well as move laterally within the networks of their victims since September this year.
The software giant confirmed on September 30, "that limited targeted attacks have been launched using these vulnerabilities to gain access to users' systems," stating that "we are aware of limited targeted attacks using these vulnerabilities to enter users' systems."
"Our team of security experts is monitoring these already deployed detection tools for malicious activity and will take action in order to protect customers in the future. We are working on a timeline that will allow us to release a fix in a short period of time," the company explained.
It was announced later that the company had released mitigation measures that allowed defenders to block ProxyNotShell attacks that were originating. In spite of this, the guidance had to be updated twice after researchers showed that attackers could still bypass them.
Updates have been issued to administrators
The security updates that have been released by Microsoft to address these two vulnerabilities are part of Patch Tuesday for November 2022.
Due to the fact that they are aware of active exploits of these vulnerabilities (limited targeted attacks), their recommendation is that "all users comply with the guidelines and install these updates immediately to be protected from these attacks."
"Exchange Server is affected by the vulnerabilities addressed in these SUs and Exchange Online customers are already protected from these vulnerabilities. They will not need to take any further action than just updating the Exchange servers within their environment."
These two security flaws, CVE-2022-41082 and CVE-2022-41040, have been tracked since 2012. They have been found to affect Microsoft Exchange Server 2013, 2016, and 2019.
Attackers can exploit these vulnerabilities by elevating privileges to execute PowerShell within the context of a system, thereby gaining arbitrary control over the system.
CVE-2022-41082, an advisory for the vulnerability that Microsoft has released, warns that an attacker could exploit this vulnerability to execute arbitrary commands through server accounts.
Using the account of the server as a proxy to trigger malicious code, "the attacker will be able to gain access to the account of the server as an authenticated user."
There are some vulnerabilities identified with ProxyNotShell that can only be exploited remotely by authenticated threat actors. However, these flaws are only exploited when low-complexity attacks do not require user interaction.