State-Sponsored Hackers Likely Targeted 10 Organizations With M.S. Exchange 0-Day Exploits

    Published on:


    Microsoft said that in August 2022, a certain group broke into Exchange servers by using two newly found security holes to attack less than ten organizations around the world.


    According to a report from the Microsoft Threat Intelligence Center (MSTIC), these attacks involved running the Chopper web shell to get direct access. This let the attackers look around in Active Directory and steal data.

    Due to the high level of access that attackers have to Exchange systems, Microsoft warned that the weaknesses will likely be used more and more in the next few days, which could lead to ransomware being used by bad people.

    The company said it had been looking into these attacks ever since the Zero Day Initiative told the Microsoft Security Response Center (MSRC) about the holes earlier this month, on September 8th and 9th, 2022. Microsoft was pretty sure that these ongoing attacks were done by a group funded by a government.


    These two flaws, which together are called ProxyNotShell, are similar to ProxyShell but add authentication, which shows that the patch is not complete.

    The security holes that let remote code execution happen are these:

    • Request Forgery Vulnerability on the Server Side of Microsoft Exchange Server (CVE-2022-41040)
    • Remote Code Execution Vulnerability in Microsoft Exchange Server (CVE-2022-41082)

    Microsoft said that normal user credentials could be used for exploitation, even though authentication is needed to take advantage of these flaws. These credentials could be obtained in a number of ways, such as by “spraying” passwords or buying them from illegal online markets.

    As early as August 2022, GTSC, a cybersecurity company based in Vietnam, first found these holes while responding to an event for a client. They thought that a Chinese threat actor was behind the attacks.

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added these two zero-day flaws in Microsoft Exchange Server to its list of Known Exploited Vulnerabilities (KEV). By October 21, 2022, government agencies are required to fix their systems.


    Microsoft said that it is working quickly to fix these problems. The company has also put out a script with URL Rewrite prevention steps that it says have been successful in breaking up current attack chains.

    • Start up IIS Manager.
    • Choose the home page.
    • You can see URL Rewrite in the Feature View.
    • Go to the Actions pane and click on Add Rule(s).
    • Choose to Block Requests and click OK.
    • Fill in the blanks with the string “.*autodiscover.json.*@.*Powershell.*”.
    • Click on Regular Expression under How to Use.
    • Click OK after choosing Abort Request from the list of ways to block.
    • To find the rule with the pattern, expand the rule and pick it out. *@*.*PowerShell.* *autodiscover.json and click Edit under Conditions
    • Change {URL} to {REQUEST_URI} in the Condition field.

    Microsoft suggests putting in place multi-factor authentication (MFA), turning off old authentication, and teaching users to be careful when they get requests for two-factor authentication (2FA) that they did not expect.


    Travis Smith, Vice President of Malware Threat Research at Qualys, said that hackers target Microsoft Exchange because it is commonly used and has security holes. This makes it an easy target for attacks.


    Leave a Reply

    Sergei Prakapovich is a special features writer at Gaming Ideology. With a knack for in-depth analysis and storytelling, Sergei crafts compelling articles that explore the intricacies of the gaming world, offering unique insights and perspectives to readers.