Hello, welcome to the Monday, October 3, 2022 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Friday, I mentioned a new Microsoft Exchange server, Saturday vulnerability.

There has been no substantial news about this vulnerability over the weekend.

Microsoft now published version two of its Exchange on-premises mitigation tool to make it easier

to apply the workaround, to block the attack. The mitigation is applied automatically

if you are taking advantage of Microsoft's

Exchange Emergency Mitigation Service

that was created about a year ago.

And just to recap, this new vulnerability exploits

essentially the same proxy log logon vulnerability or proxy shell

vulnerability that has been exploited since March last year.

The original vulnerability was patched in March, but the patch only patched the unauthenticated

version.

This new exploit does require user credentials, which will hopefully help protect some

exchange servers.

So at this point, the best you can do is apply the workaround that Microsoft recommended,

and then of course take a look at any post-exploit activity.

Microsoft also published analysis of attacks they have been seeing.

Apparently, they saw attacks against about 10 organizations.

These were sort of targeted attacks that started around August.

And SISA is warning that CVE 2020-22-36-804, that's a vulnerability in Elation

...