reader comments
8 with
It’s looking more and more likely that a critical zero-day vulnerability that went unfixed for more than a month in Microsoft Exchange was the cause of one of the UK’s biggest hacks ever—the breach of the country’s Electoral Commission, which exposed data for as many as 40 million residents.
Electoral Commission officials disclosed the breach on Tuesday. They said that they discovered the intrusion last October when they found “suspicious activity” on their networks and that “hostile actors had first accessed the systems in August 2021.” That means the attackers were in the network for 14 months before finally being driven out. The Commission waited nine months after that to notify the public.
The compromise gave the attackers access to a host of personal information, including names and addresses of people registered to vote from 2014 to 2022. Spokespeople for the Commission said the number of affected voters could be as high as 40 million. The Commission has not yet said what the cause of the breach or the means of initial entry was.
Some online sleuthing independently done by TechCrunch reporter Zack Whittaker and researcher Kevin Beaumont suggests that a pair of critical vulnerabilities in Microsoft Exchange Server, which large organizations use to manage email accounts, was the cause. Tracked as CVE-2022-41080 and CVE-2022-41082, the remote code execution chain came to light on September 30, 2022, after it had already been actively exploited for more than a month in attacks that installed malicious webshells on vulnerable servers. Microsoft issued guidance for mitigating the threat but didn’t patch the vulnerabilities until November 8, six weeks after confirming the existence of the actively exploited zero-day vulnerability chain.
In the weeks following the discovery of the zero-days, Beaumont reported that the mitigation measures Microsoft recommended could be bypassed. On Wednesday, he once again faulted Microsoft, first for providing faulty guidance and again for taking three months to release patches.
disclosed a breach that it later said was caused by the exploitation of a zero-day “associated with” CVE-2022-41080. By that point, the patches Microsoft released had been available for four weeks. The latter post, which attributed the attacks to a ransomware syndicate tracked as Play, went on to criticize Microsoft’s initial disclosure of the vulnerability.
“Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable,” Rackspace officials wrote.
The hack of the Commission’s Exchange server is a potent reminder of the damage that can result when the software is abused. It also underscores the harm that can happen when vendors fail to provide updates in a timely manner or issue faulty security guidance. Microsoft representatives didn’t respond to an email seeking comment.