Cybersecurity researchers have discovered multiple GitHub accounts selling fake proof-of-work concept exploits for the latest zero-day vulnerabilities discovered in Microsoft Exchange.
The warning follows the discovery of two new zero-day vulnerabilities in Microsoft Exchange: CVE-2022-41040 and CVE-2022-41082. These are a server-side request forgery (SSRF) flaw, and remote code execution (RCE) flaw, with both said to be being used by threat actors in the wild.
Microsoft confirmed the existence of both the flaws and threat actors using it, and said to be working on a patch (opens in new tab). Until that happens, it won’t share more details about the vulnerabilities, so as to not to give any new ideas to hackers – however, some saw this as an opportunity to make a quick buck.
Fake accounts selling fake exploits
As reported by BleepingComputer, researchers found at least two separate fraud campaigns: one comprised of five accounts looking to sell fake exploits (‘jml4da’, ‘TimWallbey’, ‘Liu Zhao Khin (0daylabin)’, ‘R007er’, and ‘spher0x’), and another one impersonating Kevin Beaumont, aka GossTheDog, a popular cybersecurity expert.
The GitHub repositories for sale luckily don’t hold any malware (opens in new tab). They don’t hold any important files either, just a README.md that details what’s known about the vulnerabilities so far, and a pitch on how the crooks are selling a copy of a PoC exploit for the zero-days.
“This means it can go unnoticed by the user and potentially by the security team as well. Such a powerful tool should not be fully public, there is strictly only 1 copy available so a REAL researcher can use it: https://satoshidisk.com/pay/xxx,” the document reads.
The file then leads to a SatoshiDisk page where gullible hackers can “buy” the fake exploit for 0.0182 Bitcoin, or roughly $420.
This should already be considered a red flag, as flaws like this one should cost at least a thousand times as much. Apparently, IT company Zerodium offers $250,000 for RCE flaws in Microsoft Exchange.
Via: BleepingComputer (opens in new tab)