Microsoft warns of two Exchange zero-day bugs exploited by attackers

3 Oct 2022

Image: © JeanLuc Ichard/Stock.adobe.com

The tech giant said it is aware of ‘limited targeted attacks’ using these vulnerabilities and is working to release a fix for these bugs.

Microsoft has confirmed two zero-day vulnerabilities affecting its Exchange servers are being exploited in “targeted attacks”.

The tech giant said these bugs affect Exchange Server 2013, 2016 and 2019. The first flaw is a “server-side request forgery” vulnerability, while the second one allows remote code execution on a server when PowerShell is accessible to an attacker.

“Microsoft is aware of limited targeted attacks using these two vulnerabilities,” the company said in a customer guidance notice on Friday (30 September).

“It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.”

The vulnerabilities were first discovered by cybersecurity firm GTSC. This company said it was able to use the exploits to create backdoors in affected systems and perform “lateral movements to other servers in the system”.

Microsoft said it is working on an “accelerated timeline” to release a fix for these bugs. Until then, the company has shared mitigation and detection guidance to help customers protect themselves.

In an update yesterday (2 October), it strongly recommended that Exchange Server customers disable remote PowerShell access for non-admin users.

Oliver Pinson-Roxburgh, CEO of cybersecurity firm Defense.com, said this is a reminder of the “constant threat” that cyberattacks represent. But he applauded Microsoft for its “swift action” in identifying the issue to users.

“With any cyberattack, companies must inform customers immediately,” Pinson-Roxburgh said. “Open and honest approaches not only minimise the damage from a threat actor but, in this case, ensure that Exchange administrators can act against hackers by blocking suspicious activities.

“While this is not the first, nor the last, zero-day exploit Microsoft will deal with, its swift actions will reassure its users that – should the worst happen – it has transparent and up-to-date response plans ready to go.”

Earlier this year, Russian cybersecurity provider Kaspersky said a hard-to-detect malware was being used to backdoor Microsoft Exchange servers belonging to government and other organisations around the world. The firm said it found 24 organisations from Europe, the Middle East, south Asia and Africa that had been compromised by this malware.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com