Microsoft Patches ProxyNotShell Exchange VulnerabilitiesState-Backed Hackers, Possibly Chinese, Exploited Zero-Days
Microsoft patched a pair of Exchange zero-days publicly disclosed in late September and known to have been exploited in the wild by a threat actor with indicators of Chinese origin.
The first flaw is a server-side request forgery vulnerability that allows attackers access to back-end servers that they would not have otherwise. The second flaw allows remote code execution when Remote PowerShell is activated. Attackers can exploit the first flaw to trigger the second. They are, respectively, CVE-2022-41040 and CVE-2022-41082 and together are known as ProxyNotShell for their similarity to a trio of 2021 Exchange vulnerabilities together known as ProxyShell.
Unlike ProxyShell, these flaws require an attacker to be authenticated onto Exchange. ProxyNotShell affects the 2013, 2016 and 2019 editions of Microsoft Exchange, and Microsoft says that organizations that have offloaded on-premises servers in favor of Exchange Online don't need to take action (see: Possible Chinese Hackers Exploit Microsoft Exchange 0-Days).
In September analysis, Microsoft said it observed fewer than 10 organizations affected by ProxyNotShell attacks - and expressed "with medium confidence" that the attacker was likely a state-sponsored organization. At the time, it recommended mitigations including limiting access to PowerShell. The company now says systems administrators should implement the patch.
Vietnamese cybersecurity firm GTSC first reported the vulnerabilities, saying that attackers were leaving behind obfuscated web shells for later use as a backdoor. GTSC raised the prospect of the hackers being of Chinese origin, noting their use of AntSword -"an active Chinese-based open-source cross-platform website administration tool that supports web shell management," web shell encoding in simplified Chinese characters and likely use of the China Chopper web shell.
Microsoft isn't attributing the nation-state actor, although it recently charged Beijing with likely stockpiling zero-days with an eye to weaponizing them for state-backed hacking.