Microsoft Exchange 0-Days exploited by state-sponsored hackers against ten organisations

Published on Oct 04, 2022

The company announced on Friday that a single activity group, in August 2022, gained initial access to Exchange servers by chaining the two newly disclosed zero-day vulnerabilities in a limited set of attacks aimed at no more than ten organisations worldwide.

“These attacks installed the Chopper web shell to enable hands-on keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,” wrote the Microsoft Threat Intelligence Center (MSTIC).

As a result of the highly privileged access Exchange systems confer on attackers, Microsoft expects weaponisation of the vulnerabilities to ramp up in the coming days as malicious actors co-opt the exploits into their toolkits, including the deployment of ransomware.

As a result of the ongoing attacks, the tech giant has attributed them with medium confidence to state-sponsored entities, stating that it has been investigating these attacks since September 8-9, 2022 when the Zero Day Initiative disclosed the flaws to Microsoft Security Response Center (MSRC).

There has been a collective term given to these two vulnerabilities, called ProxyNotShell, due to the fact that they share the same path and SSRF/RCE pair as ProxyShell, but with authentication.