THE THREAT
On September 29th, 2022, GTSC disclosed
two new vulnerabilities impacting Microsoft Exchange Servers. The vulnerabilities are tracked as CVE-2022-41040
(CVSS:8.8) and CVE-2022-41082
(CVSS:6.3).
CVE-2022-41082 allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability. Microsoft has confirmed that authenticated access to the vulnerable Exchange server is required to exploit both vulnerabilities. The vulnerabilities impact Microsoft Exchange Server versions 2013, 2016, and 2019.
Exploitation of CVE-2022-41040 and CVE-2022-41082 have been identified in the wild. Organizations are strongly recommended to apply the relevant mitigations provided by Microsoft. Once security patches are released, they should be applied as soon as possible.
What we’re doing about it
- eSentire Managed Vulnerability Service (MVS) will add plugins for this vulnerability when they become available
- IP addresses associated with real-world attacks have been blocked via the eSentire Global Deny List
- The eSentire Threat Response Unit (TRU) has performed threat hunts across the eSentire client base for signs of exploitation
- eSentire MDR for Endpoint has detections in place to identify known post- compromise activity such as the deployment of webshells, including China Chopper
- eSentire MDR for Network has detections in place to identify the China Chopper webshell
- eSentire security teams are tracking these vulnerabilities for additional details and detection opportunities
What you should do about it
- Microsoft Exchange Online Customers do not need to take any additional actions
- On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports described in the Microsoft Customer Guidance
- Clients with endpoint monitoring in place should ensure endpoint agents are deployed to critical servers such as Exchange
Additional information
In these attacks, CVE-2022-41040 can enable an authenticated attacker to trigger CVE-2022-41082 remotely. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. This is the same pair of exploits seen previously in the ProxyShell vulnerabilities. There is no known impact on Exchange functionality if the URL Rewrite module is installed as recommended.
Researchers have dubbed these exploits ProxyNotShell, as it is the same path and SSRF/RCE pair required to exploit ProxyShell, with the additional requirement of authentication. GTSC’S Red team successfully used the above path to access a component in the Exchange backend and perform RCE. However, GTSC has not released technical details of the vulnerability yet.
GTSC has seen customers experiencing a similar attack leading to webshell through Exchange services. Microsoft also verified limited targeted attacks using the two vulnerabilities. The impact has led to webshell installations aiming to exfiltrate information. There is no concrete attribution at this time, however, Tactics Techniques and Procedures (TTPs), such as the use of China Chopper webshell, align with Chinese-based threat actors.
While Proof-of-Concept (PoC) exploit code is not currently available, the eSentire Threat Intelligence team asses with high confidence that the release of PoC code will result in an increase in real-world attacks against Exchange servers by multiple threat actor groups.
References:
[1] https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
[2] https://www.helpnetsecurity.com/2022/09/30/cve-2022-41040-cve-2022-41082/
[3] https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9?gi=98d52c1539ea
[4] https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082
[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41040
[7] https://www.esentire.com/blog/proxyshell-microsoft-exchange-vulnerabilities-exploited
