Security vendor that discovered bug recommends organizations limit IIS app operating privileges on Exchange Server [297 words]
What: Microsoft apparently is looking into a report it received from South Korean cybersecurity vendor AhnLab about yet another Exchange Server zero-day vulnerability. To be clear, the vulnerability it is reportedly looking into now is different from the two Exchange Server zero-days (CVE-2022-41040 and CVE-2022-41082) that the company disclosed recently. Those vulnerabilities remain unpatched.
AhnLab said it discovered the alleged zero-day when investigating a LockBit 3.0 ransomware incident at a customer location in July. Two servers running Windows Server 2016 Standard were impacted. Some 1.3TB of data was stolen and encrypted.
The attack: AhnLab said the attack unfolded with a web shell upload using the Exchange Server zero-day. The attackers used the web shell to establish an RDP connection via SSH tunneling. They then used the BloodHound tool to retrieve information from the victim’s AD environment and then the Mimikatz post-exploitation tool to retrieve AD admin account information. During the attack, the threat actors used multiple VPN IPs to make web shell calls, before using Wmic utility to remotely manage LockBit 3.0 on the compromised servers. AhnLab said it is possible that CVE-2022-41040 and CVE-2022-41082 were used in the attack, but evidence suggests otherwise. The attack method, the web shell file name and the attacks that were carried out after web shell creation point to a different zero-day vulnerability, the vendor noted.
The security vendor disclosed their discovery in a Korean language blog on October 6. That post has since been deleted. But a cached copy of it is available on Wayback Machine archive.
Further reading:
Link to AhnLab’s bug disclosure on Wayback Machine with detailed information on the attack