A new zero-day vulnerability in MS Exchange servers has been recently investigated after several reported abuse of it enabled the launch of LockBit ransomware attacks on the compromised networks.
In July 2022, researchers discovered that a threat actor used a web shell on a compromised MS Exchange server to elevate admin privileges to Active Directory, steal over 1.3TB of data, and encrypt files inside the infected system.
The researchers explained that the compromised MS Exchange server was hacked through an unknown zero-day flaw. The hackers in this operation took a week before successfully hijacking the Active Directory account from the day the web shell was deployed.
Microsoft will investigate the reports about this new MS Exchange zero-day abuse to protect users.
A Microsoft representative stated that all claims in the reports about the MS Exchange zero-day abuse would be deeply investigated. The tech giant will also implement appropriate actions to help protect the customers.
Researchers also believe this new zero-day flaw could be distinct from the CVE-2022-41040 and CVE-2022-41082 that Microsoft has been actively patching, as their characteristics and attack tactics differ.
Meanwhile, other analysts suppose that the attack delivery method is not enough proof that the attackers used a new and different security flaw for the recently observed operation. Nonetheless, a separate security vendor disclosed three recently known MS Exchange vulnerabilities in the wild and that they offer a solution for users to block potential abuse attempts from hackers.
These three other zero-day bugs were tracked as ZDI-CAN-18881, ZDI-CAN-18882, and ZDI-CAN-18932. Based on the analysis, the issues of these three flaws have already been validated, thus posing concerns for end users. The researchers that found the three zero-day flaws already reported it to Microsoft three weeks ago.
Furthermore, the detection filters for the bugs are offered to help users be protected against exploitation that affects Microsoft Exchange servers. Microsoft has yet to comment on the reported zero-day flaws and has yet to assign a CVE ID for proper tracking.