Rebel? In March 2021, Microsoft revealed that Chinese hackers had exploited flaws in its Exchange software, quickly dubbed Proxylogon, to steal data from several of its customers. A year and a half later, researchers from the GSTC company warn that two new vulnerabilities called “zero day“, that is, without a patch, is exploited by hackers to spy on emails forwarded by Microsoft Exchange. This warning was confirmed by the publisher a few hours later.
Microsoft Exchange is one of the software that many employees use without knowing it. It is used to centralize all emails received by members of an organization and to forward them to the recipients. It is definitely hiding behind your Outlook mailbox and is used by thousands of companies. Suffice it to say, when this software is targeted by cyberattacks that exploit unknown flaws, many cybersecurity services go into overdrive. With good reason: at the end of the chain, this type of attack makes it possible to spy on the contents of e-mail boxes, distribute malicious software in the company’s network or usurp the identity of the employees of the victim organization. .
RCE, synonymous with danger
If the two errors worry so much, it is because they allow making RCE (remote code execution), a dreaded acronym in the cybersecurity world, as it means the attacker can make changes to the victim’s machine without having physical access to it. In other words, he can launch his entire ranged attack.
As with Proxylogon, malicious individuals exploit vulnerabilities to deploy webshells -Kind of hidden control interfaces that only hackers have access to. Thanks to this tool, they can stay with their victims for a long time to steal data, send emails on behalf of employees of the organization or even spread on the network. Neither the researchers nor Microsoft have yet specified the extent of the damage or the number of victims, but it will probably be highly targeted strategic or industrial espionage campaigns.
Microsoft, for its part, tries to mitigate the seriousness of the bug by specifying that it can only be exploited by authenticated attackers, that is, hackers who have previously gained access to a user account at the victim organization. The renowned researcher Kevin Beaumont contradicts this nuance by explaining that it can be any account, making the attack quite easily achievable. Microsoft also specifies that customers of its Exchange Online service (the version it manages itself) do not need to respond because they have already taken the necessary registration and protection measures.
Is Microsoft taking too long to respond?
The security team behind the discovery alerted Microsoft more than 3 weeks ago via the Zero Day Initiative (ZDI), a reward-based zero-day vulnerability reporting program run by Japanese company Trend Micro. Specifically, the latter confirms the seriousness of the error and then contacts the publisher of the vulnerable software. ZDI noted the criticality [la potentielle dangerosité, ndlr] of the two vulnerabilities at 8.8 and 6.3 out of 10 on the CVSS scale commonly used in the industry, it then escalated to Microsoft.
However, after giving Microsoft 3 weeks to deploy a patch, with no success, GTSC researchers decided to publish their findings so that Exchange customers can take appropriate protective measures. They provided some techniques to block attacks while the patch arrives, in addition to showing network administrators a method to check if hackers have already exploited the flaw on their systems. Full details of these procedures can be found on the Bleeping Computer expert website.
To prevent these new flaws from being exploited by anyone, the researchers remained tight-lipped about technical details. They simply explained that they are similar (without being identical) to those known as Proxylogon, which marked the year 2021 and created a real commotion in the cyber security world. Basically, these new bugs go the same way, but take advantage of slightly different design flaws.
China accused again?
According to GTSC researchers, attackers are using a specific webshell known as China Chopper [le hachoir de Chine, ndlr] because it is widely used by hacker groups sponsored by the Chinese state and it would be coded in Chinese. As a result, experts suspect that China was behind the attack campaign, especially since elements of another Chinese tool, called Antsword, are also used by the hackers. To complete this profile of the perfect suspect, Microsoft had formally accused the group of hackers Halfnium, which would be sponsored by the Chinese state, of being the cause of the Proxylogon attacks.
However, the attribution of a cyber attack is not easy because a group from another country could use the tools of Chinese hackers to cover their tracks. But China is known for its aggressive strategy in cyberspace and its relative lack of discretion.