Governance and Risk Management, Patch Management, Security Operations
State-backed hackers, possibly Chinese, exploited Zero Days
David Perra (@daveperera) •
November 9, 2022
Microsoft has patched a pair of Exchange zero-days that were publicly disclosed in late September and known to have been run wild by a threat actor with Chinese-origin indicators.
See also: On demand | API Protection – Your API Protection Strategy
The first flaw is a server-side request forgery vulnerability that allows attackers to access backend servers that they wouldn’t otherwise have. The second flaw allows remote code execution when Remote PowerShell is enabled. Attackers can exploit the first flaw to trigger the second. They are CVE-2022-41040 and CVE-2022-41082 respectively and are collectively known as ProxyNotShell for their similarity to a trio of Exchange 2021 vulnerabilities known as ProxyShell.
Unlike ProxyShell, these flaws require an attacker to be authenticated on Exchange. ProxyNotShell affects 2013, 2016, and 2019 editions of Microsoft Exchange, and Microsoft says organizations that have offloaded on-premises servers to Exchange Online don’t need to take action (see: Possible Chinese Hackers Are Exploiting Microsoft Exchange 0-Days).
In the September analysis, Microsoft said it observed fewer than 10 organizations affected by ProxyNotShell attacks — and expressed “with medium confidence” that the attacker was likely a state-sponsored organization. At the time, he recommended mitigations, including limiting access to PowerShell. The company now says system administrators should implement the fix.
Vietnamese cybersecurity firm GTSC first reported the vulnerabilities, saying attackers left behind obfuscated web shells for later use as a backdoor. GTSC raised the possibility that the hackers were of Chinese origin, noting their use of AntSword – “a Chinese-based active cross-platform open-source website administration tool that supports web shell management”, encoding the Simplified Chinese character web shell and likely use of China Chopper web shell.
Microsoft does not attribute the nation-state actor, though it recently accused Beijing of likely stockpiling zero-days in an effort to weaponize them for state-backed hacking.