On September 29th, Microsoft announced Zero Day vulnerabilities which affect the 2013, 2016 and 2019 versions of Microsoft Exchange. Note that this does not impact customers that are using the online version of Exchange.
Microsoft reported “The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.”
According to Microsoft, there have been a limited number of targeted attacks against these two vulnerabilities, and authenticated access is needed on the Exchange Server to successfully exploit either vulnerability.
To best address these two vulnerabilities, read the Microsoft Blog post. Microsoft is providing updates and scripts to help in these processes.
Currently, there is no indication that a patch is available for either vulnerability, but Microsoft has announced that it is developing one.
The cybersecurity company GTSC was credited with identifying the two Zero Day vulnerabilities. The organization was responding to an incident reported by one of its customers, and was able to document their findings. As GTSC found and reported, these vulnerabilities are being actively exploited.
In addition to this fact, GTSC shared a great deal of information about the incident and their findings in a comprehensive blog post. This post included:
Vulnerability Information
Post-exploit activities
Malware Analysis
Temporary containment measures
Indicators of Compromise (IOCs)
and Mitre ATT&CK Mapping
GTSC's breakdown of the incident is available, and can be found at this link.