Microsoft has released security updates to address two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell and exploited in the wild.
Attackers have been chaining the two security flaws to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as for lateral movement in their victims’ networks since at least September 2022.
Microsoft confirmed they were actively abused in attacks on September 30, saying it was “aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.”
“Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. We are working on an accelerated timeline to release a fix,” the company added.
The company later released mitigation measures to allow defenders to block incoming ProxyNotShell attacks but had to update the guidance twice after researchers showed that attackers could still bypass them.
There’s reports emerging that a new zero day exists in Microsoft Exchange, and is being actively exploited in the wild
I can confirm significant numbers of Exchange servers have been backdoored – including a honeypot.
Thread to track issue follows:
— Kevin Beaumont (@GossiTheDog) September 29, 2022
Admins warned to patch
Today, as part of the November 2022 Patch Tuesday, Microsoft finally released security updates to address the two vulnerabilities.
“Because we are aware of active exploits of related vulnerabilities (limited targeted attacks), our recommendation is to install these updates immediately to be protected against these attacks,” the Exchange Team warned.
“These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment.”
They enable attackers to escalate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution.
“The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution,” Microsoft added in the CVE-2022-41082 advisory.
“As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.”
The ProxyNotShell security flaws can only be exploited remotely by authenticated threat actors, however, in low-complexity attacks that don’t require user interaction.