Although Microsoft still hasn’t fixed the ProxyNotShell zero-day vulnerabilities found in Exchange last month, the company is now investigating a report about a new zero-day vulnerability that is being used to compromise Exchange servers. Hackers are exploiting this bug to deploy the LockBit ransomware.
The South Korean company AhnLab warned about the use of another 0-day vulnerability by hackers. Researchers report that they are aware of at least one incident that occurred in July 2022, when attackers used a previously deployed web shell on an Exchange server to elevate privileges to the Active Directory administrator level, steal 1.3 TB of data and encrypt victim company systems .
Experts who investigated the incident write that it took the attackers just a week to capture the Active Directory administrator account. At the same time, the Exchange server appears to have been compromised using some kind of “undisclosed zero-day vulnerability”, although the victim company received technical support from Microsoft and regularly installed security updates after another compromise that took place in December 2021.
“Among the vulnerabilities disclosed after May of this year, there were no reports of vulnerabilities related to the execution of remote commands or the creation of files,” the experts explain. “So given that the web shell was created on July 21, it looks like the attackers exploited an undisclosed zero-day vulnerability.”
At the same time, AhnLab is not sure that the criminals did not exploit the already mentioned ProxyNotShell vulnerabilities, although the attack tactics were completely different.
“Perhaps, vulnerabilities in Microsoft Exchange Server (CVE-2022-41040, CVE-2022-41082) discovered by the Vietnamese information security company GTSC on September 28 were used here, but the attack method, the generated web shell file name and subsequent attacks after creation do not match web shell. We believe that other attackers exploited a different zero-day vulnerability.” , say the researchers.
Although AhnLab experts are not completely sure, it is worth noting that information security specialists are aware of at least three more undisclosed vulnerabilities in Exchange. So, last month, experts from the Zero Day Initiative told Microsoft that they discovered three problems in Exchange at once, which they track under the identifiers ZDI-CAN-18881, ZDI-CAN-18882 and ZDI-CAN-18932. Following this, in early October, Trend Micro added signatures for three critical Microsoft Exchange zero-day vulnerabilities to its N-Platform, NX-Platform, or TPS security products.
So far, Microsoft has not disclosed any information about these three bugs, and they have not yet been assigned CVE IDs.