UPDATE (10/4/2022) - Last week, Avertium published a Flash Notice regarding two zero-day Microsoft Exchange Server vulnerabilities: CVE-2022-41082 and CVE-2022-41040. The zero-days have now been named ProxyNotShell due to them being nearly identical in nature to ProxyShell.
According to ET Labs, the new vulnerabilities exploit an SSRF vulnerability to trigger remote code execution. Also, ProxyNotShell is using an almost identical URI pattern that was used to trigger ProxyShell. The only difference between the two is that ProxyNotShell requires valid credentials/authenticated access to the Exchange Server.
Additionally, the initial mitigation method issued by Microsoft for CVE-2022-41082 and CVE-2022-41040 is not effective and can be bypassed by threat actors. The company has since updated their guidance and strongly recommends that Exchange Server customers disable remote PowerShell access for non-admin users in their organization. You can find additional guidance for single and multiple users here.
There are two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and CVE-2022-41082 is a vulnerability that allows for remote code execution when PowerShell is accessible to a threat actor.
Microsoft stated that the current attacks are limited but the two vulnerabilities can be chained together and used to breach corporate networks. According to Microsoft, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. The threat actors chain the vulnerabilities together to deploy Chinese Chopper web shells on the compromised servers. This action allows them to move laterally to other systems within the victim’s networks. However, in order for an attacker to exploit either vulnerability, they will need authenticated access to the Exchange Server.
It’s suspected that a Chinese threat group is responsible for the current attacks based on two things:
Microsoft further stated that they are working on a timeline to release a fix for the zero-days, but they have provided mitigations and detections in the meantime. Microsoft is monitoring the detections for malicious activity and will provide updates for customers on their site.
If you are a Microsoft Exchange Online customer, you don’t need to take any action. However, on premises Microsoft Exchange customers should review and apply Microsoft’s URL Rewrite Instructions, as well as block exposed Remote PowerShell ports. Guidance for the Rewrite instructions can be found here.
INDICATOR'S OF COMPROMISE (IOCS):
CVE-2022-41040 & CVE-2022-41082
Related Reading: FARGO Ransomware Attacking Microsoft SQL Servers