Microsoft is warning organizations to mitigate two zero-day vulnerabilities in Exchange Server that are being actively exploited in the wild and can result in hands-on-keyboard access and Active Directory reconnaissance and data exfiltration.
The vulnerabilities are CVE-2022-41040–a server-side request forgery (SSRF) vulnerability–and CVE-2022-41082–a remote code execution bug via Exchange PowerShell.
According to Microsoft, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082, but the attacker would need authenticated access to the vulnerable Exchange Server to exploit either of the vulnerabilities, which can be used separately.
Microsoft says Defender Antivirus and Defender for Endpoint are able to detect post-exploitations malware and activity associated with the attacks, but a fix has not yet been released. However, the company has released a script to apply the mitigations for the SSRF vector CVE-2022-41040 to on-premises Exchange servers.
The company strongly recommends Exchange Server customers disable remote PowerShell access for non-admin users in their organization.
The company says it is aware of “limited targeted attacks” leveraging these bugs.
While Exchange Online customer do not need to take any action, on-premises Exchange customers should add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns.”
There are three possible mitigation options, which can be viewed in this Microsoft Security Response Center blog.
The company says the activity observed is attributable to a single threat group that in August achieved initial access and compromised Exchange servers by chaining the vulnerabilities together in a “small number of targeted attacks.” The threat actor used the bugs to install the Chopper web shell to gain hands-on-keyboard access, which was used to perform Active Directory reconnaissance and data exfiltration.
Microsoft says its researchers were investigating the attacks to determine if there was a new exploitation vector in Exchange involved when the Zero Day Initiative (ZDI) disclosed the bugs to Microsoft last month.
According to Microsoft, a blog from Vietnamese cybersecurity company GSTC, published Sept. 28, detailed the activity that was previously reported to Microsoft via the ZDI.
“Their blog details one example of chained exploitation of CVE-2022-41040 and CVE-2022-41082 and discusses the exploitation details of CVE-2022-41040,” Microsoft says in the blog. “It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available”
Claire Tills, a senior research engineer at vulnerability scanning provider Tenable, says the two flaws appear to be variants of ProxyShell, a chain of Exchange vulnerabilities disclosed late last year. However, the key difference is that the new bugs require authentication, although that authentication can be of any user.
Now that these vulnerabilities are public, all Exchange customers should be vigilant, Tills says.
“Microsoft has confirmed the vulnerabilities but, at this time, we’re still waiting on patches. Once those are available, organizations should deploy them with urgency. Microsoft and GTSC have both offered mitigation guidance for organizations to consider until patches have been released,” Tills says. “ProxyShell was and remains one of the most exploited attack chains released in 2021.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply