High-Severity Microsoft Exchange 0-Day Under Attack Threatens 220,000 Servers (arstechnica.com) 42
An anonymous reader quotes a report from Ars Technica: Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers' servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.
Wednesday's GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People's Republic of China. GTSC went on to say that the malware the threat actors eventually install emulates Microsoft's Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August. The malware then sends and receives data that's encrypted with an RC4 encryption key that's generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild. People running on-premises Exchange servers "should apply a blocking rule that prevents servers from accepting known attack patterns," reports Ars. The rule can be found in Microsoft's advisory.
"For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082."
Wednesday's GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People's Republic of China. GTSC went on to say that the malware the threat actors eventually install emulates Microsoft's Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August. The malware then sends and receives data that's encrypted with an RC4 encryption key that's generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild. People running on-premises Exchange servers "should apply a blocking rule that prevents servers from accepting known attack patterns," reports Ars. The rule can be found in Microsoft's advisory.
"For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082."
What's the news here? (Score:5, Insightful)
Re:What's the news here? (Score:4, Informative)
Re: (Score:1, Informative)
"A zero-day (also known as a 0-day) is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs"
"Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082."
In the future, please understand what the fuck a mitigation is. We are now at the point of ignorance, not zero
Re: What's the news here? (Score:2)
Blocking off your server so nobody can use it isn't a fix. It's maybe a tourniquet. A tourniquet that has to be applied before you're attacked.
Re: What's the news here? (Score:4, Insightful)
Blocking off your server so nobody can use it isn't a fix. It's maybe a tourniquet. A tourniquet that has to be applied before you're attacked.
Blocking port 25, would be a "nobody can use it" move, and that would not be something the vendor would recommend.
Blocking remote management (HTTPS 5986) is something that probably shouldn't be publicly accessible in the first damn place.
Re: What's the news here? (Score:2)
Re: What's the news here? (Score:1)
They look like part of a range of ports added to accept http traffic a long time ago specifically in services like exchange. I cannot remember how that argument went but this situation was likely an argument against .
Re: (Score:2)
Is it even news that Microsoft has buggy software that endangers business?
Re:What's the news here? (Score:4, Interesting)
This kind of snide comment is so predictable on /. That fact that it gets modded +5 Insightful is really pathetic.
The article is news because 220,000 servers are at immediate risk of being exploited. How are admins supposed to find out about zero-day vulnerabilities if the news is not published?
And no, vulnerabilities this severe are not "business as usual". They are exceptional. And if you think that serious zero-day vulnerabilities only affect Microsoft products, then you know nothing about computer security.
Not safe (Score:5, Insightful)
Having exchange on the internets isn't safe. Proxy incoming and outgoing mail and VPN all other connections. How many times does it have to be exploited before people figure this out?
Re: (Score:3, Informative)
Throw exim/postfix/qmail on a modest piece of hardware and it can handle a large company's external mail. Setup two if you want to have some redundancy to make it easier to do maintenance without disruption. Deploy them with Ansible if you want to make it easier to keep the two duplicate configurations in sync and make it quick to reinstall in the rare event that you want to wipe a system and start over (a good policy to follow if your system is compromised, ideally on fresh hardware).
Re:Not safe (Score:5, Interesting)
Postfix is the king of proxy SMTP. I ran it for years as the front end answering to port 25. It could handle much larger loads than Window/Exchange and its filtering and extensions are just incredible. We've farmed out our email services now, but for years, on the advice of a couple of people on /. way back in the day, I moved to a Postfix SMTP proxy and never went back.
Re: (Score:2)
Postfix is the king of proxy SMTP. I ran it for years as the front end answering to port 25. It could handle much larger loads than Window/Exchange and its filtering and extensions are just incredible.
Literally every common MTA can handle more volume than Exchange. Microsoft has literally never had the best-performing anything, unless you count time to first crash.
Re: (Score:3)
I can't speak to the Windows TCP/IP stack now, but my original reason for moving to Postfix for proxy MTA was another Windows MTA (can't remember the name of it off the top) that kept running out of sockets due to Joe jobs and dictionary attacks. The attackers were literally overwhelming the Windows TCP/IP stack so that I had to actually physically log on to the Windows box (it was Windows 2000 originally but an upgrade to 2003 saw no improvement), whereas between Postfix and the Linux stack, it never got o
Re: (Score:2)
+1 for Postfix. I've used it for decades. It's one of the best-designed, best-implemented, bits of software I've ever used.
Re: (Score:2)
No need to proxy - they make spam filter boxes these days that will do your proxy for you. Since everyone pretty much needs a spam filtering box like a Barracuda, it should be the public exposed MX, which then connects to your Exchange server so users are not inundated with spam. Then only allow connections from the LAN and the Barracuda and you've locked things down. (Work from home? Your email requires VPN).
Re: (Score:3)
No need for Ansible. You can just update PostFix! Yes, I know kids these days do not know what that is anymore. Have had a dual PostFix config on Linux vServers running for now 10 years, fowarding to another PostFix box that is the real MTA and takes connections only from them. Never had a problem updating it or the Linux (Debian without SystemD) below. Never any outages. Never had to do any emergency patching. It is just for my own email though.
Re: Not safe (Score:1)
Re: (Score:2)
Note #2: You are not sane if you've written more than 1 sendmail config.
This bound can be further tightened.
Re: (Score:2)
People that know what they are doing do not run Exchange in the first place, so...
Re: (Score:2)
probably the wrong audience, but this is a genuine question:
Is there some particular business advantage of using Exchange over a trusted alternative like Postfix? I see comments below saying "just use Postfix". OK - if it's that easy and objectively better, why are people still using Exchange?? Is this just an extension of the MS bad / OSS good debate?
Disclosure: I try to avoid MS products wherever possible, and run multiple Postfix instances myself. I've never touched Exchange.
Re: (Score:1)
The argument I've typically heard has something to do with some sort of proprietary Active Directory calendar/contact/schedule sharing features of MS Office and MS Project that only MS Exchange can integrate with. I don't even actually know if that's true, and I suspect that these people making this argument just aren't aware you can accomplish all the same shit through OpenLDAP, but then you couldn't have a braindead double-clicker as your head sysadmin so they'll probably never find that out either.
Re: (Score:2)
Is there some particular business advantage of using Exchange over a trusted alternative like Postfix?
Exchange does stuff that a MTA doesn't, like shared calendaring and integration with AD. You don't have to throw Exchange away, although it's crap in other ways so you arguably should. You can put postfix in front of it and use it to proxy incoming and outgoing SMTP in order to protect it.
Notes (Score:3, Funny)
Re: (Score:2)
Re: Notes (Score:1)
I bought a new nokia dumb phone for this reason last year. Battery lasted 2 weeks with moderate use. Unfortunately KaiOS which runs it is a slow bug ridden POS and the phone locked up twice which was a problem since it had no hard reset nor a removable battery and I had to wait for it to discharge each time. After the 2nd lockup it went in the cupboard and hasnt been out since.
Re: (Score:2)
I'm sure those in South Florida would appreciate hardware that could last days or weeks without needing a recharge instead of hours. Many sick and worried about missing loved ones would pay anything for a decade-old text message right about now.
Oh god, I still remember my Blackberry. Only charged it every Monday and Thursday.
Re: (Score:2)
Notes was probably an order of magnitude more complex than Exchange, at least. Exchange is just a fancy email and calendar program with a shitty mail server in it. Notes was a platform. And it may still be used somewhere for all I know, but if so I prefer to live in ignorance so I will speak of it only in the past tense. It was a gigantic turd.
Re: (Score:2)
For most of its existence, Lotus Notes was an IBM product, which explains the development goals. And the name is "Domino" now.
Re: (Score:2)
My memories of Notes were much like my experience of Salesforce is turning out (I'm taking a free "class" consisting of their learning material, which is as uneven as their product.) I worked for support at Tivoli right after acquisition and by default we each had, and I am not making this up, an OS/2 machine running a screen scraper for the mainframe app RETAIN (the case tracking software) called ACME and a Windows 2000 machine so we could run Notes. You couldn't really get away from the latter, but if you
So glad I don't have to deal with that (Score:2)
Good old MicroCrap (Score:2)
Rely on them, get fucked.
Not a New Vulnerability (Score:1)
It is not a New Vulnerability, nor is it "zero-day". The flaw existed since Microsoft wrote it into the code. However, the "vulnerability" is not being used exclusively (any more) by the people who paid Microsoft to pu tit in place, so now that is a problem. It is the discovery that a deliberately placed back-door is being used by parties other than those that bought and paid for the backdoor.
Pretty standard Microsoft stuff.