Two Microsoft Exchange zero-days exploited by attackers (CVE-2022-41040, CVE-2022-41082)
Attackers are leveraging two zero-day vulnerabilities (CVE-2022-41040, CVE-2022-41082) to breach Microsoft Exchange servers.
News of the attacks broke on Wednesday, when researchers with Vietnamese cybersecurity company GTSC released a warning saying that, “while providing SOC service to a customer, GTSC Blueteam detected exploit requests in IIS logs with the same format as ProxyShell vulnerability.”
About the vulnerabilities (CVE-2022-41040, CVE-2022-41082)
CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and CVE-2022-41082 allows remote code execution when PowerShell is accessible to the attacker, Microsoft explained.
“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.”
The vulnerabilities affect Microsoft Exchange Server versions 2013, 2016, and 2019.
Unfortunately, even though the Vietnamese researchers notified Microsoft (via Trend Micro’s Zero Day Initiative) about the flaws several weeks ago, there are no patches yet.
“Microsoft Exchange Online has detections and mitigation in place to protect customers,” Microsoft said, but urged admins of on-prem installations of Exchange Server to implement mitigations, which include adding a blocking rule and blocking some ports.
Mitigation and detection
GTSC’s researchers initially thought that the attackers were exploiting the ProxyShell vulnerability, but further analysis proved that the targeted MS Exchange servers were up-to-date with the patches, so the theory of ProxyShell being exploited was discarded.
Security researcher Kevin Beaumont says that it appears the ProxyShell patches from early 2021 did not fix the issue. “I am calling this ProxyNotShell, as it is the same path and SSRF/RCE pair from back then… but with authentication.”
GTSC’s researchers discovered the attacks at the beginning of August, and say that the attackers ultimate goal was to “create backdoors on the affected system and perform lateral movements to other servers in the system.”
The former was performed by dropping webshells. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management,” they shared.
GTSC has provided indicators of compromise and guidelines and a tool for defenders to scan IIS log files for evidence of compromise.
Both Microsoft and Trend Micro have provided detection queries and explained how to use their solutions for investigation and remediation.
“A quick sweep of the internet suggests a lot of organisations haven’t yet patched for ProxyShell, which is understandable given how Exchange patching works,” Beaumont noted, and found (via Shodan) that there are nearly 250,000 vulnerable Exchange servers exposed on the internet.
As a side note: Earlier this year, Microsoft asked bug hunters to probe on-premises Exchange and SharePoint servers.
UPDATE (October 3, 2022, 06:40 a.m. ET):
The latest developments on the situation can be found here.