State-Sponsored Hackers Likely Targeted 10 Organizations With M.S. Exchange 0-Day Exploits

Recent articles

Microsoft revealed on Friday that a single activity group in August 2022 breached Exchange servers by chaining the two recently disclosed zero-day flaws in a constrained set of attacks targeted at fewer than ten global organizations.


According to a report released on Friday by the Microsoft Threat Intelligence Center (MSTIC), “these attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration.”

Microsoft further stated that due to the “highly privileged access Exchange systems confer upon an attacker,” the weaponization of the vulnerabilities is anticipated to increase over the next few days as malicious actors incorporate the exploits into their toolkits, including the use of ransomware.

The tech giant added that it was already looking into these attacks when the Zero Day Initiative reported the flaws to Microsoft Security Response Center (MSRC) earlier this month, September 8-9, 2022. The tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization.


Because “it is the same path and SSRF/RCE pair” as ProxyShell but with authentication, indicating an incomplete patch, the two flaws have been collectively dubbed ProxyNotShell.

The problems that are connected to allow for remote code execution are listed below:

  • Microsoft Exchange Server Server-Side Request Forgery Vulnerability (CVE-2022-41040)
  • Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082)

Although these flaws require authentication, Microsoft stated that a standard user’s authentication could be used to exploit them. Standard user credentials can be obtained through various attacks, such as password spraying or buying them from the black market in cyberspace.

In August 2022, the vulnerabilities were first identified by the Vietnamese cybersecurity company GTSC as part of its incident response work for a client. The intrusions are thought to have been initiated by a Chinese threat actor.

The two zero-day vulnerabilities in Microsoft Exchange Server were added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), requiring federal agencies to patch their systems by October 21, 2022.


Microsoft stated that it is putting a fix for the flaws out on an “accelerated timeline.” Additionally, it has made available a script for the URL Rewrite mitigation steps listed below, which it claims is “successful in breaking current attack chains”:

  • Open IIS Manager
  • Select Default Web Site
  • In the Feature View, click URL Rewrite
  • In the Actions pane on the right-hand side, click Add Rule(s)…
  • Select Request Blocking and click OK
  • Add the string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes)
  • Select Regular Expression under Using
  • Select Abort Request under How to block and then click OK
  • Expand the rule, select the rule with the pattern .*autodiscover\.json.*\@.*Powershell.* and click Edit under Conditions.
  • Change the Condition input from {URL} to {REQUEST_URI}

As additional prevention measures, the company is urging companies to enforce multi-factor authentication (MFA), disable legacy authentication, and educate users about not accepting unexpected two-factor authentication (2FA) prompts.


According to Travis Smith, vice president of malware threat research at Qualys, “Microsoft Exchange is a juicy target for threat actors to exploit for two main reasons.”

“First, Exchange’s direct internet connection creates an attack surface that is reachable from anywhere in the world, significantly raising the threat of an attack. Secondly, Exchange is a mission-critical function — organizations can’t just unplug or turn off an email without negatively impacting their business.”

Leave a Reply