One of those company stalwarts is Microsoft Exchange server, but it’s also a popular target for hackers. While details are few, Microsoft acknowledged in a blog post that these flaws were exploited by a suspected state-sponsored threat actor to target and successfully exfiltrate data from less than ten businesses.
The first is a Server-Side Request Forgery (SSRF) vulnerability, while the second, CVE-2022-41082, allows remote code execution if the attacker has PowerShell access. When used in conjunction, the SSRF flag allows an attacker to remotely install malicious code to a target network.
Given that Microsoft Exchange is used by 65,000 businesses, businesses must be prepared for potential threat actors to exploit these vulnerabilities. In March of last year, a Chinese threat actor known as Hafnium successfully penetrated at least 30,000 US firms by exploiting four zero-day vulnerabilities in on-premises versions of Exchange Server.
Hafnium obtained user credentials to get access to the enterprise’s exchange systems and then deployed malicious malware to acquire remote admin access and started capturing critical data.
Microsoft stated in a blog post on September 30th that “similar threats and total exploitation of these vulnerabilities are likely to escalate, as security researchers and cybercriminals adapt the disclosed findings into their toolkits and proof of concept code becomes accessible.” Although no patch for the upgrades is now available, Microsoft has issued a list of remedial activities that companies may take to safeguard their environments.
To prevent users and apps from visiting dangerous domains, enable network protection. Organizations may indirectly lower the danger of exploitation by stressing security awareness and teaching workers about social engineering threats, as well as the necessity of appropriate password management, to reduce the likelihood of a cybercriminal getting administrator access to Exchange.