Although Microsoft still hasn’t fixed the ProxyNotShell vulnerabilities found in Exchange last month, the company is now investigating a report of a new 0-day bug that is being used to compromise Exchange servers. Hackers are exploiting this bug to deploy the LockBit ransomware.
Let me remind you that we also wrote that ProxyToken Vulnerability Allows Stealing Mail Through Microsoft Exchange, and also that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.
The South Korean company AhnLab warned that hackers abused another 0-day vulnerability. Researchers report that they are aware of at least one incident that occurred in July 2022, when attackers used a previously deployed web shell on an Exchange server to elevate privileges to the Active Directory administrator level and hlave stolen 1.3 TB of data and encrypt victim company systems.
Experts who investigated the incident write that it took the attackers just a week to capture the Active Directory administrator account. At the same time, the Exchange server appears to have been compromised using some kind of “undisclosed zero-day vulnerability”, although the victim company received technical support from Microsoft and regularly installed security updates after another compromise that took place in December 2021.
At the same time, AhnLab is not sure that the criminals did not exploit the already mentioned ProxyNotShell vulnerabilities, although the attack tactics were completely different.
Although AhnLab experts are not completely sure, it is worth noting that information security specialists are aware of at least three more undisclosed vulnerabilities in Exchange. So, last month, experts from the Zero Day Initiative told Microsoft that they discovered three problems in Exchange at once, which they track under the identifiers ZDI-CAN-18881, ZDI-CAN-18882 and ZDI-CAN-18932. Following this, in early October, Trend Micro added signatures for three critical Microsoft Exchange zero-day vulnerabilities to its N-Platform, NX-Platform, or TPS security products.
So far, Microsoft has not disclosed any information about these three bugs, and they have not yet been assigned CVE IDs.