Week 40 | 3rd – 7th October 2022

Key Issue: Zero–day Microsoft Exchange vulnerability mitigation can be bypassed
Cybercriminals: Ransomware groups demonstrate a diverse approach to operations
Nation–State: Nation–state units target the defence sector
Hacktivist: Environmental hacktivist group Guacamaya compromises military networks

KEY ISSUE:
Our key issue highlights two Microsoft Exchange zero–day vulnerabilities that were discovered last week, as researchers this week have warned that mitigations provided by Microsoft can be bypassed by threat actors.

The vulnerabilities are tracked as CVE–2022–41040 (CVSS: 8.8| OVSS: 59), a server–side request forgery vulnerability, and CVE–2022–41082 (CVSS: 8.8| OVSS: 56), which enables remote code execution access to PowerShell dependent on adversary access. To reduce the risk of exploitation, Microsoft encouraged users to implement a rule in the Internet Information Services Manager, however, a security researcher tweeted that the URL pattern only focused on known exploits and can easily be bypassed, thus rendering the mitigation advice redundant.

The researcher has advocated a less specific, alternative string that covers a wider range of exploits. This disclosure comes amid reports that threat actors were chaining the vulnerabilities together to achieve remote code execution. As such, we assess that these vulnerabilities will continue to be widely exploited in the absence of patches from Microsoft.