Microsoft has today confirmed the existence of two new zero-day vulnerabilities allowing for remote code execution on Microsoft Exchange Server 2013, 2016, and 2019, following previous claims made by security researchers at Vietnamese cybersecurity firm GTSC.
“The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” Microsoft said.
According to GTSC, the zero-days are chained to deploy Chinese Chopper web shells for persistence and data theft, and to move laterally through the victims’ networks. GTSC also suspects that a Chinese threat group might be responsible for the ongoing attacks based on the web shell code pages, which use Microsoft character encoding for simplified Chinese.
“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” the company added.
It then explained that the CVE-2022-41040 flaw could only be exploited by authenticated attackers, which makes it critical only to on-premises Exchange users. Successful exploitation then allows attackers to trigger the CVE-2022-41082 RCE vulnerability.
Mitigations Needed
“We are working on an accelerated timeline to release a fix. Until then, we’re providing the mitigations and detections guidance below to help customers protect themselves from these attacks,” Microsoft added.
“On-premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports.
“The current mitigation is to add a blocking rule in ‘IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions’ to block the known attack patterns.”
To apply the mitigation to vulnerable servers, the following steps should be taken:
- Open the IIS Manager
- Expand the Default Web Site
- Select Autodiscover
- In the Feature View, click URL Rewrite
- In the Actions pane on the right-hand side, click Add Rules
- Select Request Blocking and click OK
- Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK
- Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions
- Change the condition input from {URL} to {REQUEST_URI}
Since threat actors can also gain access to PowerShell remoting on exposed and vulnerable Exchange servers for remote code execution by exploiting CVE-2022-41082, Microsoft also advises admins to block the following Remote PowerShell ports to hinder the attacks:
- HTTP: 5985
- HTTPS: 5986
GTSC said that administrators who want to check if their Exchange servers have already been compromised can run the following PowerShell command to scan IIS log files for indicators of compromise:
Get-ChildItem -Recurse -Path -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
The Most Significant Risk: "Not Applying The Patches on Every Asset"
These vulnerabilities, coined as ProxyNotShell by threat intelligence analyst Kevin Beaumont, should “be taken seriously,” Matthieu Garin, partner at French cybersecurity consulting firm Wavestone, claimed on LinkedIn. “And in a long term, maybe you should consider stopping with on-premises Exchange.”
Starting a new thread for two Exchange zero days being exploited in the wild.
— Kevin Beaumont (@GossiTheDog) September 30, 2022
Calling it ProxyNotShell for details explained within, aka CVE-2022-41040 and CVE-2022-41082. #ProxyNotShell pic.twitter.com/Mzjm1qXtEA
“It’s critical for enterprises to take the first step of patching this Exchange server vulnerability, but it can’t stop there,” Greg Fitzgerald, co-founder of Sevco Security, an asset attack surface management platform provider, told Infosecurity Magazine.
“The most significant risk for enterprises isn’t the speed at which they are applying critical patches; it comes from not applying the patches on every asset. The simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for. You can’t patch something if you don’t know it’s there, and attackers have figured out that the easiest path to accessing your network and your data is often through unknown or abandoned IT assets,” Fitzgerald added.
Around 5% of all Windows servers are uncovered by enterprise patch management programs, revealed Sevco’s State of the Cybersecurity Attack Surface Report earlier this month. “So even when companies patch this, there’s a good chance they’ll miss vulnerable servers,” they noted.
Additionally, the report found that 19% of Windows servers are missing endpoint protection.