At a glance.
- Microsoft Exchange Server zero-days exploited in the wild.
- Apparent hacktivism against the Mexican government.
- Lazarus Group's BYOVD spearphishing campaign.
- Customer service software supply chain attack.
- Underground markets offer to help Russians avoid mobilization.
- MI5 website sustains brief DDoS attack.
Microsoft warns of Exchange Server vulnerabilities.
Late Friday Microsoft disclosed that two zero-days afflicted three versions of its widely used Exchange Server. One, CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability; the second, CVE-2022-41082, is a remote-code execution (RCE) exploit that can be initiated when an attacker has access to PowerShell. Redmond is working on a fix, but until then users may follow mitigations Microsoft's Security Response Center shared in its "Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server." Late Sunday Microsoft added additional advice: "We strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization."
Hanoi-based security firm GTSC discovered the zero-days in the course of its monitoring and remediation activity. GTSC sees strong circumstantial evidence that the threat actor or actors behind it are Chinese. "We suspect these exploits come from Chinese attack groups, based on the webshell codepage of 936, a Microsoft character encoding for simplified Chinese.”
Late Friday the US Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2022-41082 and CVE-2022-41040 to its Known Exploited Vulnerabilities Catalog. In both cases CISA advises organizations to apply the mitigations Microsoft has provided. US Federal executive civilian agencies have until October 21st to take action. For more information on the Microsoft Exchange zero-days, see CyberWire Pro.