Another 0-Day Bug Was Found in Microsoft Exchange, and LockBit Ransomware Operators Are Exploiting It

0-day in Microsoft Exchange

Although Microsoft still hasn’t fixed the ProxyNotShell vulnerabilities found in Exchange last month, the company is now investigating a report of a new 0-day bug that is being used to compromise Exchange servers. Hackers are exploiting this bug to deploy the LockBit ransomware.

Let me remind you that we also wrote that ProxyToken Vulnerability Allows Stealing Mail Through Microsoft Exchange, and also that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.

The South Korean company AhnLab warned that hackers abused another 0-day vulnerability. Researchers report that they are aware of at least one incident that occurred in July 2022, when attackers used a previously deployed web shell on an Exchange server to elevate privileges to the Active Directory administrator level and hlave stolen 1.3 TB of data and encrypt victim company systems.

Experts who investigated the incident write that it took the attackers just a week to capture the Active Directory administrator account. At the same time, the Exchange server appears to have been compromised using some kind of “undisclosed zero-day vulnerability”, although the victim company received technical support from Microsoft and regularly installed security updates after another compromise that took place in December 2021.

Among the vulnerabilities disclosed after May of this year, there were no reports of vulnerabilities related to the execution of remote commands or the creation of files. So given that the web shell was created on July 21, it looks like the attackers exploited an undisclosed zero-day vulnerability.the experts explain.

At the same time, AhnLab is not sure that the criminals did not exploit the already mentioned ProxyNotShell vulnerabilities, although the attack tactics were completely different.

Perhaps, vulnerabilities in Microsoft Exchange Server (CVE-2022-41040, CVE-2022-41082) discovered by the Vietnamese information security company GTSC on September 28 were used here, but the attack method, the generated web shell file name and subsequent attacks after creation do not match web shell. We believe that other attackers exploited a different zero-day vulnerability.the researchers say.

Although AhnLab experts are not completely sure, it is worth noting that information security specialists are aware of at least three more undisclosed vulnerabilities in Exchange. So, last month, experts from the Zero Day Initiative told Microsoft that they discovered three problems in Exchange at once, which they track under the identifiers ZDI-CAN-18881, ZDI-CAN-18882 and ZDI-CAN-18932. Following this, in early October, Trend Micro added signatures for three critical Microsoft Exchange zero-day vulnerabilities to its N-Platform, NX-Platform, or TPS security products.

So far, Microsoft has not disclosed any information about these three bugs, and they have not yet been assigned CVE IDs.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *