Microsoft acknowledged Wednesday that a new serious vulnerability security in Microsoft Exchange Server has been actively exploited in the real world, a day after releasing fixes for the vulnerability as part of the Patch Tuesday updates which happened recently.
What is the problem with Microsoft Exchange Server?
Identified as CVE-2024-21410 (CVSS score: 9.8), the issue has been described as a case of privilege escalation affecting Microsoft Exchange Server, particularly.
“An attacker could target an NTLM client such as Outlook with an NTLM vulnerability involving credential disclosure“, has declared the company in a notice published this week, adding: “The disclosed credentials can then be redirected to the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on behalf of the victim.”
The successful exploit of the flaw could allow an attacker to redirect a user's disclosed Net-NTLMv2 hash to a susceptible Exchange server and authenticate as the userRedmond added.
The tech giant, in an update to its bulletin, has revised its exploitability rating at “Exploit Detection”, noting that it has now enabled Extended Protection for Authentication (EPA) by default with Cumulative Update 14 (CU14) of Microsoft Exchange Server 2019.
Details about the nature of the exploitation and the identity of the threat actors who may abuse the flaw are currently unknown; However, Russian state-affiliated hacker groups such as APT28 (also known as Forest Blizzard) have a history of exploiting flaws in Microsoft Outlook to carry out NTLM relay attacks.
Earlier this month, Trend Micro has said implicitly that the adversary in NTLM relay attacks (which not surprisingly has recently been replaced with another protocol) targeted at high-value entities from at least April 2022; the intrusions targeted organizations dealing with foreign affairs, energy, defense and transport, as well as those involved in labour, social care, finance, parenting and local city councils.
CVE-2024-21410 joins two other Windows vulnerabilities – CVE-2024-21351 (CVSS score: 7.6) and CVE-2024-21412 (CVSS score: 8.1) which were patched by Microsoft this week and actively used in proven cyberattacks.
The exploitation of CVE-2024-21412, a bug that allows Windows SmartScreen protections to be bypassed, has been attributed to an advanced persistent threat called Water Hydra (also known as DarkCasino), which previously exploited zero-days in WinRAR to distribute the DarkMe trojan.
“The group used Internet shortcuts disguised as a JPEG image thatwhen selected by the user, allows cybercriminal to exploit CVE-2024-21412“Trend Micro said. “The group can then bypass Microsoft Defender SmartScreen and completely compromise the Windows host as part of its attack chain.”
Microsoft's Patch Tuesday update also addresses CVE-2024-21413, another serious flaw affecting Outlook email software that could lead to remote code execution easily bypassing security measures such as protected viewing.
Called MonikerLink by Check Point, the problem “allows for a broad and serious impact, ranging from disclosure of local NTLM credential information to execution of malicious code.”
The vulnerability arises from incorrect parsing of URLs”file://” by adding an exclamation point to URLs that point to arbitrary payloads hosted on servers controlled by the attacker (for example, “file:///10.10.111.111testtest.rtf!something”).
“The flaw not only allows local NTLM information to be disclosed, but it could also allow remote code execution and more as an attack vector“said cybersecurity firm Tend Micro, adding at the end that “It could also bypass Office Protected View when used as an attack vector to target other Office applications.”
#Microsoft #Exchange #vulnerability #CVE202421410 #exploitation