Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally.
"These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration," the Microsoft Threat Intelligence Center (MSTIC) said in a new analysis.
The weaponization of the vulnerabilities is expected to ramp up in the coming days, Microsoft further warned, as malicious actors co-opt the exploits into their toolkits, including deploying ransomware, due to the "highly privileged access Exchange systems confer onto an attacker."
The tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding it was already investigating these attacks when the Zero Day Initiative disclosed the flaws to Microsoft Security Response Center (MSRC) earlier last month on September 8-9, 2022.
The two vulnerabilities have been collectively dubbed ProxyNotShell, owing to the fact that "it is the same path and SSRF/RCE pair" as ProxyShell but with authentication, suggesting an incomplete patch.
The issues, which are strung together to achieve remote code execution, are listed below -
CVE-2022-41040 (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2022-41082 (CVSS score: 8.8) - Microsoft Exchange Server Remote Code Execution Vulnerability