Attackers leverage two zero-day vulnerabilities (CVE-2022-41040, CVE-2022-41082) to breach Microsoft Exchange servers.
News of the attacks broke on Wednesday when researchers with Vietnamese cybersecurity company GTSC released a warning saying that “while providing SOC service to a customer, GTSC Blue team detected exploit requests in IIS logs with the same format as ProxyShell vulnerability.”
About the vulnerabilities (CVE-2022-41040, CVE-2022-41082)
CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, and CVE-2022-41082 allows remote code execution when PowerShell is accessible to the attacker, Microsoft explained.
“At this time, Microsoft is aware of limited, targeted attacks using the two vulnerabilities to get into users’ systems. CVE-2022-41040 can enable an authenticated attacker to trigger CVE-2022-41082 remotely in these attacks. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to exploit either of the two vulnerabilities successfully.”
The vulnerabilities affect Microsoft Exchange Server versions 2013, 2016, and 2019.
Unfortunately, although the Vietnamese researchers notified Microsoft (via Trend Micro’s Zero Day Initiative) about the flaws several weeks ago, there are no patches yet.
“Microsoft Exchange Online has detections and mitigation in place to protect customers,” Microsoft said but urged admins of on-prem installations of Exchange Server to implement mitigations, which include adding a blocking rule and blocking some ports.
Mitigation and Detection
GTSC’s researchers initially thought that the attackers were exploiting the ProxyShell vulnerability. However, further analysis proved that the targeted MS Exchange servers were up-to-date with the patches, so the theory of ProxyShell being exploited was discarded.
Security researcher Kevin Beaumont says the ProxyShell patches from early 2021 did not fix the issue. “I am calling this ProxyNotShell, as it is the same path and SSRF/RCE pair from back then… but with authentication.”
GTSC’s researchers discovered the attacks at the beginning of August. They said the attacker's ultimate goal was to “create backdoors on the affected system and perform lateral movements to other servers in the system.”
The former was performed by dropping webshells. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management,” they shared.
GTSC has provided indicators of compromise and guidelines and a tool for defenders to scan IIS log files for evidence of compromise.
Microsoft and Trend Micro have provided detection queries and explained how to use their solutions for investigation and remediation.
“A quick sweep of the internet suggests a lot of organisations haven’t yet patched for ProxyShell, which is understandable given how Exchange patching works,” Beaumont noted and found (via Shodan) that there are nearly 250,000 vulnerable Exchange servers exposed on the internet.
As a side note: Earlier this year, Microsoft asked bug hunters to probe on-premises Exchange and SharePoint servers.
Shanique Taylor is an expert writer with over 150 publications on several blogs and websites before she joined our team at DailyTechFeed. Shanique specializes in Lifestyle, Health, and News articles. Shanique Taylor is also a web expert and keeps us running.