State-sponsored hackers are currently exploiting critical vulnerabilities in Microsoft Exchange Server to deploy keylogger malware and steal sensitive data. This alarming activity highlights the urgent need for organisations to address these security flaws promptly.
Vulnerabilities:
The attackers are targeting two critical flaws in Microsoft Exchange Server:
CVE-2022-41040 (Elevation of Privilege)
CVE-2022-41082 (Remote Code Execution)
Both vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of 8.8, indicating their high severity.
Exploitation:
These vulnerabilities are being leveraged to install the Chopper web shell, a tool that enables attackers to execute further attacks and exfiltrate data. The web shell allows for remote control over the compromised servers, facilitating the deployment of additional malware and unauthorised access to sensitive information.
Mitigation:
Microsoft has provided several recommendations to mitigate the risks associated with these vulnerabilities:
Apply URL Rewrite rules for IIS to help block specific attack patterns.
Enforce Multi-Factor Authentication (MFA) to add an extra layer of security.
Disable legacy authentication methods that are more susceptible to compromise.
Educate users about unexpected 2FA prompts to recognize potential phishing attempts and other social engineering tactics.
Impact:
Since 2021, over 30 entities, including government agencies and banks across Africa and the Middle East, have been targeted by these attacks. The widespread nature and high-profile targets underline the critical importance of addressing these vulnerabilities immediately.
Organisations using Microsoft Exchange Server are urged to follow Microsoft's mitigation strategies and stay vigilant against potential security breaches. By taking proactive measures, businesses can protect their data and maintain the integrity of their operations against these sophisticated cyber threats.
