CISA orders agencies to patch Exchange bug abused by ransomware gang

The Cybersecurity and Infrastructure Security Agency (CISA) has added two more security vulnerabilities to its catalog of exploited bugs today.

The first is a Microsoft Exchange elevation of privileges bug tracked as CVE-2022-41080 that can be chained with the CVE-2022-41082 ProxyNotShell bug to gain remote code execution.

Texas-based cloud computing provider Rackspace confirmed one week ago that the Play ransomware gang exploited it as a zero-day to bypass Microsoft’s ProxyNotShell URL rewrite mitigations and escalate permissions on compromised Exchange servers.

The exploit used in the attack, dubbed OWASSRF by CrowdStrike security researchers who spotted it, was also shared online with some of Play ransomware’s other malicious tools.

This will likely make it easier for other cybercriminals to create their own custom exploits or adapt Play ransomware’s tool for their own purposes, adding to the urgency of updating the vulnerability as soon as possible.

Organizations with on-premises Microsoft Exchange servers are advised to deploy the latest Exchange security updates immediately (with November 2022 being the minimum patch level) or disable Outlook Web Access (OWA) until they can apply CVE-2022-41080 patches.

The second vulnerability CISA added to its Known Exploited Vulnerabilities (KEV) catalog is a privilege escalation zero-day (CVE-2023-21674) in the Windows Advanced Local Procedure Call (ALPC), tagged as being exploited in attacks and patched by Microsoft during this month’s Patch Tuesday.

Federal agencies have to patch until the end of January

A BOD 22-01 binding operational directive issued by CISA in November 2021 requires all Federal Civilian Executive Branch Agencies (FCEB) agencies to secure their networks against bugs added to the KEV catalog.

Today, CISA gave FCEB agencies three weeks, until January 31st, to address the two security flaws and block potential attacks targeting their systems.

While this directive only applies to U.S. federal agencies, CISA also strongly urged all organizations to fix these vulnerabilities to thwart exploitation attempts.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned today.

Since the BOD 22-01 directive was issued, CISA added more than 800 security flaws to its list of bugs exploited in the wild, requiring federal agencies to address them on a tighter schedule to prevent potential security breaches.

Source link