CERT-EU

UPDATE: New Microsoft Exchange Zero-Day Vulnerabilities (CERT-EU Security Advisory 2022-068)

On September 28, 2022, the security researchers at Vietnamese cybersecurity vendor GTSC published a blog post claiming they have discovered an attack campaign which utilised two zero-day bugs in Microsoft Exchange that could allow an attacker a remote code execution. The attackers are chaining the pair of zero-days to deploy web shells, notably China Choppers, on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks.
Microsoft had identified the vulnerabilities as CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.
CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA).

https://www.cert.europa.eu/static/SecurityAdvisories/2022/CERT-EU-SA2022-068.pdf

Dec 21, 2022 at 1:56pmWeb
Show threadHal PomeranzDec 21, 2022
@cert_eu I am an experienced incident responder and I am begging people to stop hosting their own Exchange servers. The attack surface is huge and they are very visible and valuable targets.
Show threaddj0x00sDec 22, 2022
@hal_pomeranz @cert_eu "stop hosting" in general or more along the lines of "stop exposing your exchange services without a client vpn or clientless vpn-ish solution includinging mfa / client certs as access requirement" ?
I might be biased but locking your stuff down and having some access control in place should help with on premise exchange, right?
Show threadHal PomeranzDec 23, 2022
@dj0x00s @cert_eu We’ve seen enough pre-authentication vulnerabilities in Exchange that I’m not comfortable exposing it directly to the internet even with MFA. Even hiding Exchange behind VPN makes me nervous because self-hosted Exchange is the obvious initial compromise once the attacker steals a VPN credential.
Show threadGrrrDec 21, 2022
@cert_eu this isn't a zero day, the November patches for ProxyNotShell do remediate this new exploit vector (which is "only" a bypass of the URL blocking workaround)
Show threadKevin Karhan Dec 26, 2022

@cert_eu Q: When will people, organization, corporations and government s stop using #Microsoft's unredeemable and unfixable #Govware???

Seriously, get rid of that binary trash!
https://www.youtube.com/watch?v=duaYLW7LQvg

The Microsoft-Dilemma - Europe as a Software Colony (Full Documentary, 2018)

Auf YouTube findest du großartige Videos und erstklassige Musik. Außerdem kannst du eigene Inhalte hochladen und mit Freunden oder mit der ganzen Welt teilen.

YouTube