News

emergency patch pipeline for Microsoft now! — How an unpatched Microsoft Exchange 0-day likely caused one of the UKs biggest hacks ever Evidence appears to show a critical 0-day tracked as ProxyNotShell was exploited.

Dan Goodin – Aug 9, 2023 9:58 pm UTC Enlarge / Building with Microsoft logo.Getty Images reader comments 23 with

Its looking more and more likely that a critical zero-day vulnerability that went unfixed for more than a month in Microsoft Exchange was the cause of one of the UKs biggest hacks everthe breach of the countrys Electoral Commission, which exposed data for as many as 40 million residents.

Electoral Commission officials disclosed the breach on Tuesday. They said that they discovered the intrusion last October when they found suspicious activity on their networks and that hostile actors had first accessed the systems in August 2021. That means the attackers were in the network for 14 months before finally being driven out. The Commission waited nine months after that to notify the public.

The compromise gave the attackers access to a host of personal information, including names and addresses of people registered to vote from 2014 to 2022. Spokespeople for the Commission said the number of affected voters could be as high as 40 million. The Commission has not yet said what the cause of the breach or the means of initial entry was.

Further ReadingHigh-severity Microsoft Exchange 0-day under attack threatens 220,000 serversSome online sleuthing independently done by TechCrunch reporter Zack Whittaker and researcher Kevin Beaumont suggests that a pair of critical vulnerabilities in Microsoft Exchange Server, which large organizations use to manage email accounts, was the cause. Tracked as CVE-2022-41080 and CVE-2022-41082, the remote code execution chain came to light on September 30, 2022, after it had already been actively exploited for more than a month in attacks that installed malicious webshells on vulnerable servers. Microsoft issued guidance for mitigating the threat but didnt patch the vulnerabilities until November 8, six weeks after confirming the existence of the actively exploited zero-day vulnerability chain.

In the weeks following the discovery of the zero-days, Beaumont reported that the mitigation measures Microsoft recommended could be bypassed. On Wednesday, he once again faulted Microsoft, first for providing faulty guidance and again for taking three months to release patches. Advertisement

At the time Microsoft released temporary mitigations rather than a security patchit took until November 2022 for a security update to appear to fully resolve the problem, the researcher wrote. This was a significant delay. In the meantime, the security mitigations Microsoft provided were repeatedly bypassed. Later in the post, he added, Microsoft needs to ship security patches for Microsoft Exchange Server faster. It needs some kind of emergency patch pipeline.

Citing results returned by the Shodan search engine for Internet-connected devices, both Beaumont and Whittaker said that the Commission ran an Internet-exposed on-premises Exchange Server with Outlook Web App until late September 2020, when it suddenly stopped responding. The searches show that Commission staff had last updated the server software in August. As already noted, August was the same month active exploits of vulnerabilities began.

To be clear, this means the Electoral Commission (or their IT supplier) did the right thingthey were applying security patches quickly during this time in 2022, the researcher wrote.

Better known as ProxyNotShell, CVE-2022-41082 and CVE-2022-41080 affect on-premises Exchange servers. Microsoft said in early October that it was aware of only a single threat actor exploiting the vulnerabilities and that the actor had targeted fewer than 10 organizations. The threat actor is fluent in Simplified Chinese, suggesting it has a nexus to China.

In December, cloud host Rackspace disclosed a breach that it later said was caused by the exploitation of a zero-day associated with CVE-2022-41080. By that point, the patches Microsoft released had been available for four weeks. The latter post, which attributed the attacks to a ransomware syndicate tracked as Play, went on to criticize Microsofts initial disclosure of the vulnerability.

Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable, Rackspace officials wrote.

The hack of the Commissions Exchange server is a potent reminder of the damage that can result when the software is abused. It also underscores the harm that can happen when vendors fail to provide updates in a timely manner or issue faulty security guidance. Microsoft representatives didnt respond to an email seeking comment. reader comments 23 with Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars

Articles You May Like

Jeff Bezos Blue Origin launch heats up private space race with Elon Musks SpaceX
XRP, Bitcoin Recovery Only Short-Lived? TD Sequential May Suggest So
Harmful dye now banned in US after being put in American food for 118 years
Jeff Bezos Blue Origin launch heats up private space race with Elon Musks SpaceX
Consumer watchdog sues major US bank claiming it cheated customers