Chinese Hackers Are Exploiting Zero-Day Bugs in Microsoft Exchange Servers

A security researcher has released the proof of concept exploit code for two bugs in Microsoft Exchange – touted as the ProxyNotShell – which can be used by attackers to gain admin privileges and execute arbitrary code remotely.

Microsoft released updates to patch these bugs a week ago, but it’s still in the hands of the end users to apply it. While they do so, researchers have noted a rise in exploitations against these bugs since September this year.

Microsoft Exchange Bugs

Microsoft Exchange is often targeted by hackers due to its popularity, and many use this server software for hosting and managing their files. Thus, any bugs found in this software are quickly exploited to take advantage.

In the latest pursuit, the Vietnamese cybersecurity firm GTSC has found two critical bugs in the Microsoft Exchange software, which can be exploited by chaining them together and deploying Chinese Chopper web shells on the compromised servers. This trend has been named ProxyNotShell.

These two security vulnerabilities are tracked as  CVE-2022-41082 and CVE-2022-41040 and affect Microsoft Exchange Server 2013, 2016, and 2019 versions. After GTSC, several other security firms have detailed how attackers can leverage these bugs to escalate their privileges, run PowerShell commands and gain arbitrary code execution on the compromised systems.

Well, realizing its potential, Microsoft released patches to these bugs in the November 2022 Patch Tuesday update and recommended users to apply immediately, as Redmond has also detected active explorations against exposed Exchange servers.

“These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment.”

Now, a security researcher going by the name Janggggg has released the proof-of-concept (POC) exploit for these two bugs, which the attackers have previously used in their campaigns to target the backdoor Exchange servers.

And with several researchers warning of active exploitations in the last couple of months, it’s advised to apply the latest Microsoft update to secure your Exchange servers.

LEAVE A REPLY

Please enter your comment!
Please enter your name here