Two Exchange server zero-day vulnerabilities are being exploited by criminals.
The two zero-days were used in attacks on their customers' environments dating back to early August.
The two vulnerabilities identified by Microsoft are server-side request forgery and remote code execution.
Microsoft confirmed that they are aware of limited targeted attacks using the two vulnerabilities.
An attacker would need stolen credentials to successfully exploit either of the two vulnerabilities that affect on-premise Microsoft Exchange server.
Microsoft didn't give any further details about the attacks and didn't reply to our questions. The two vulnerabilities were given a severity rating of 8.8 and 6.3 by the security firm.
The two vulnerabilities that were chained were used to create backdoors on the victim's system. After mastering the exploit, we created attacks to collect information and gain access to the victim's system.
The webshell codepage is used for simplified Chinese and it is suspected that a Chinese group is behind the attacks. The China Chopper webshell is used in attacks for persistent remote access, which is a China state-sponsored hacking group's preferred method.
A security researcher who was one of the first to discuss the vulnerability being actively exploited in the wild and that he can confirm significant numbers of Exchange server have been backdoored, said he is aware of the vulnerability being exploited in the wild and that he can confirm significant numbers of Exchange server have been
Microsoft didn't say when patches would be available, but it did say that the fix is on an accelerated timetable.
The company recommends that customers add a blocking rule to the IIS Manager in order to follow the temporary mitigation measures shared by GTSC. Exchange Online customers don't need to take any action at the moment because the zero-days only affect Exchange server.
America’s small businesses face the brunt of China’s Exchange server hacks