Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizens Wu Yanzu in South China for the delivery of clues! CTOnews.com, Oct. 2, last year, Microsoft warned that servers within the enterprise were under widespread attack and was eager to elaborate on mitigation measures and security updates within a few weeks. Now, Exchange Server software seems to have been attacked again by two 0-day vulnerabilities.

CTOnews.com learned that, as usual, Exchange Online customers were not affected and did not need to do anything. These vulnerabilities apply to internal installations of Exchange Server 2013, 2016, and 2019.

These two vulnerabilities are marked as CVE-2022-41040 and CVE-2022-41082, respectively. The former is a server-side request forgery (SSRF) vulnerability, while the latter enables malicious actors to conduct remote code execution (RCE) attacks through PowerShell. That is, an attacker needs authenticated access to the Exchange server to exploit either of these two vulnerabilities.

Since there are no patches yet, Microsoft has not delved into the details of the attack chain. Microsoft has provided a number of mitigation measures, including adding blocking rules to URL rewrite instructions and blocking ports 5985 (HTTP) and 5986 (HTTPS) used by remote PowerShell.

Unfortunately, Microsoft Sentinel has no specific hunting query, Microsoft Defender for Endpoint system can only detect post-development activities, which also supports the detection of "Chopper" web shell malware. Microsoft has assured customers that it is working on an "accelerated schedule" for the fix, but so far has not disclosed a tentative patch release date. Users can find more details about the mitigation and detection of zero-day vulnerabilities here.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.