Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Microsoft

High-Severity Microsoft Exchange 0-Day Under Attack Threatens 220,000 Servers (arstechnica.com) 42

An anonymous reader quotes a report from Ars Technica: Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers' servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

Wednesday's GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People's Republic of China. GTSC went on to say that the malware the threat actors eventually install emulates Microsoft's Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August. The malware then sends and receives data that's encrypted with an RC4 encryption key that's generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild.
People running on-premises Exchange servers "should apply a blocking rule that prevents servers from accepting known attack patterns," reports Ars. The rule can be found in Microsoft's advisory.

"For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082."
This discussion has been archived. No new comments can be posted.

High-Severity Microsoft Exchange 0-Day Under Attack Threatens 220,000 Servers

Comments Filter:
  • by RUs1729 ( 10049396 ) on Saturday October 01, 2022 @08:14AM (#62928905)
    This is just business as usual for MS.
    • Indeed. Why would ports 5985 and 5986 be open to external world? Admins don't have a fw? Ignore the use of it? Or maybe bean counters decided to save and offshored fw config/maintenance to some super cheap place Pitty that bean counters never get screwed on techincal staff
      • They look like part of a range of ports added to accept http traffic a long time ago specifically in services like exchange. I cannot remember how that argument went but this situation was likely an argument against .

    • by mspohr ( 589790 )

      Is it even news that Microsoft has buggy software that endangers business?

    • by nuckfuts ( 690967 ) on Saturday October 01, 2022 @02:08PM (#62929587)

      This kind of snide comment is so predictable on /. That fact that it gets modded +5 Insightful is really pathetic.

      The article is news because 220,000 servers are at immediate risk of being exploited. How are admins supposed to find out about zero-day vulnerabilities if the news is not published?

      And no, vulnerabilities this severe are not "business as usual". They are exceptional. And if you think that serious zero-day vulnerabilities only affect Microsoft products, then you know nothing about computer security.

  • Not safe (Score:5, Insightful)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday October 01, 2022 @08:14AM (#62928907) Homepage Journal

    Having exchange on the internets isn't safe. Proxy incoming and outgoing mail and VPN all other connections. How many times does it have to be exploited before people figure this out?

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Throw exim/postfix/qmail on a modest piece of hardware and it can handle a large company's external mail. Setup two if you want to have some redundancy to make it easier to do maintenance without disruption. Deploy them with Ansible if you want to make it easier to keep the two duplicate configurations in sync and make it quick to reinstall in the rare event that you want to wipe a system and start over (a good policy to follow if your system is compromised, ideally on fresh hardware).

      • Re:Not safe (Score:5, Interesting)

        by MightyMartian ( 840721 ) on Saturday October 01, 2022 @08:42AM (#62928943) Journal

        Postfix is the king of proxy SMTP. I ran it for years as the front end answering to port 25. It could handle much larger loads than Window/Exchange and its filtering and extensions are just incredible. We've farmed out our email services now, but for years, on the advice of a couple of people on /. way back in the day, I moved to a Postfix SMTP proxy and never went back.

        • Postfix is the king of proxy SMTP. I ran it for years as the front end answering to port 25. It could handle much larger loads than Window/Exchange and its filtering and extensions are just incredible.

          Literally every common MTA can handle more volume than Exchange. Microsoft has literally never had the best-performing anything, unless you count time to first crash.

          • I can't speak to the Windows TCP/IP stack now, but my original reason for moving to Postfix for proxy MTA was another Windows MTA (can't remember the name of it off the top) that kept running out of sockets due to Joe jobs and dictionary attacks. The attackers were literally overwhelming the Windows TCP/IP stack so that I had to actually physically log on to the Windows box (it was Windows 2000 originally but an upgrade to 2003 saw no improvement), whereas between Postfix and the Linux stack, it never got o

        • +1 for Postfix. I've used it for decades. It's one of the best-designed, best-implemented, bits of software I've ever used.

      • by tlhIngan ( 30335 )

        No need to proxy - they make spam filter boxes these days that will do your proxy for you. Since everyone pretty much needs a spam filtering box like a Barracuda, it should be the public exposed MX, which then connects to your Exchange server so users are not inundated with spam. Then only allow connections from the LAN and the Barracuda and you've locked things down. (Work from home? Your email requires VPN).

      • by gweihir ( 88907 )

        No need for Ansible. You can just update PostFix! Yes, I know kids these days do not know what that is anymore. Have had a dual PostFix config on Linux vServers running for now 10 years, fowarding to another PostFix box that is the real MTA and takes connections only from them. Never had a problem updating it or the Linux (Debian without SystemD) below. Never any outages. Never had to do any emergency patching. It is just for my own email though.

    • You might laugh but i'm still supporting multiple sendmail frontends that relay to central exchange Learning curve of sendmail is steep but after two decades you will master it!!!
    • by gweihir ( 88907 )

      People that know what they are doing do not run Exchange in the first place, so...

    • probably the wrong audience, but this is a genuine question:

      Is there some particular business advantage of using Exchange over a trusted alternative like Postfix? I see comments below saying "just use Postfix". OK - if it's that easy and objectively better, why are people still using Exchange?? Is this just an extension of the MS bad / OSS good debate?

      Disclosure: I try to avoid MS products wherever possible, and run multiple Postfix instances myself. I've never touched Exchange.

      • The argument I've typically heard has something to do with some sort of proprietary Active Directory calendar/contact/schedule sharing features of MS Office and MS Project that only MS Exchange can integrate with. I don't even actually know if that's true, and I suspect that these people making this argument just aren't aware you can accomplish all the same shit through OpenLDAP, but then you couldn't have a braindead double-clicker as your head sysadmin so they'll probably never find that out either.

      • Is there some particular business advantage of using Exchange over a trusted alternative like Postfix?

        Exchange does stuff that a MTA doesn't, like shared calendaring and integration with AD. You don't have to throw Exchange away, although it's crap in other ways so you arguably should. You can put postfix in front of it and use it to proxy incoming and outgoing SMTP in order to protect it.

  • Notes (Score:3, Funny)

    by jmccue ( 834797 ) on Saturday October 01, 2022 @08:25AM (#62928919) Homepage
    This never happened with Lotus Notes :)
    • The smaller and simpler the application, the harder it is to hide flaws in it.
      • Notes was probably an order of magnitude more complex than Exchange, at least. Exchange is just a fancy email and calendar program with a shitty mail server in it. Notes was a platform. And it may still be used somewhere for all I know, but if so I prefer to live in ignorance so I will speak of it only in the past tense. It was a gigantic turd.

        • For most of its existence, Lotus Notes was an IBM product, which explains the development goals. And the name is "Domino" now.

          • My memories of Notes were much like my experience of Salesforce is turning out (I'm taking a free "class" consisting of their learning material, which is as uneven as their product.) I worked for support at Tivoli right after acquisition and by default we each had, and I am not making this up, an OS/2 machine running a screen scraper for the mainframe app RETAIN (the case tracking software) called ACME and a Windows 2000 machine so we could run Notes. You couldn't really get away from the latter, but if you

  • One of the happiest days of my life was when I never had to support a Blackberry Enterprise Server any more. The second happiest day of my life was when I didn't have to support an Exchange server.
  • Rely on them, get fucked.

  • It is not a New Vulnerability, nor is it "zero-day". The flaw existed since Microsoft wrote it into the code. However, the "vulnerability" is not being used exclusively (any more) by the people who paid Microsoft to pu tit in place, so now that is a problem. It is the discovery that a deliberately placed back-door is being used by parties other than those that bought and paid for the backdoor.

    Pretty standard Microsoft stuff.

Whoever dies with the most toys wins.

Working...