Microsoft: New Exchange Server zero-days already used in attacks, expect more to come

Attackers have already exploited the newly disclosed Microsoft Exchange Server vulnerabilities, so act now.
Written by Danny Palmer, Senior Writer
close up programmer man hand typing on keyboard laptop for register data system or access password at dark operation room , cyber security concept
Image: Getty Images/iStockphoto

Microsoft has warned that attackers are already taking advantage of recently disclosed zero-day exploits to hack into victim's networks and steal data – and more attacks are likely to be on the way.

The two new zero-day vulnerabilities in Microsoft Exchange Server -- CVE-2022-41040 and CVE-2022-41082 -- were detailed last week, with warnings that they could allow hackers to remotely gain access to internal services and execute remote code on networks. 

Now Microsoft has provided more information on how the vulnerabilities have already been used – in attacks that first started in August. 

In what's described as a "small number of targeted attacks", the CVE-2022-41040 and CVE-2022-41082 vulnerabilities were chained together to provide attackers with "hands-on-keyboard access", which was used to perform Active Directory reconnaissance and to steal data. The victims haven't been publicly disclosed.

Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats

The attacks require the attacker to be an authenticated user, but it's possible to gain access to these credentials with phishing attacks, brute force attacks or buying stolen usernames and passwords from underground forums

While there's currently no specific indications as to who's behind these attacks, Microsoft's Security Threat Intelligence Team (MSTIC) "assesses with medium confidence" that they're the work of a single activity group connected to a state-sponsored cyber operation

Microsoft says it's working on what it describes as an "accelerated timeline" to release a security fix for the vulnerability – although it has yet to emerge. 

But since the vulnerability has been publicly disclosed, it's likely that hacking operations are already moving to take advantage of it before a patch becomes available, with Microsoft warning that "overall exploitation of these vulnerabilities will increase". 

Previous Microsoft Exchange vulnerabilities were featured in a variety of cyberattacks, including state-sponsored cyber-espionage campaigns, ransomware operations and cryptojacking attacks as attackers rushed to exploit the vulnerabilities before organisations had a chance to apply the patch. 

The United States Cybersecurity & Infrastructure Security Agency (CISA) has also issued a warning that attackers could exploit the latest Microsoft Exchange Server vulnerabilities. 

While a patch is yet to become available, Microsoft has provided guidance on mitigating the threat, including the recommendation that Exchange Server customers disable remote PowerShell access for non-admin users. 

"CISA encourages users and administrators to review the information from Microsoft and apply the necessary mitigations until patches are made available," said a CISA alert


Editorial standards