Flash Notice: UPDATE - Microsoft Exchange Double Zero-Day Vulnerabilities

UPDATE (10/4/2022) - Last week, Avertium published a Flash Notice regarding two zero-day Microsoft Exchange Server vulnerabilities: CVE-2022-41082 and CVE-2022-41040. The zero-days have now been named ProxyNotShell due to them being nearly identical in nature to ProxyShell.

According to ET Labs, the new vulnerabilities exploit an SSRF vulnerability to trigger remote code execution. Also, ProxyNotShell is using an almost identical URI pattern that was used to trigger ProxyShell. The only difference between the two is that ProxyNotShell requires valid credentials/authenticated access to the Exchange Server.

Additionally, the initial mitigation method issued by Microsoft for CVE-2022-41082 and CVE-2022-41040 is not effective and can be bypassed by threat actors. The company has since updated their guidance and strongly recommends that Exchange Server customers disable remote PowerShell access for non-admin users in their organization. You can find additional guidance for single and multiple users here.

Overview

There are two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and CVE-2022-41082 is a vulnerability that allows for remote code execution when PowerShell is accessible to a threat actor.

Microsoft stated that the current attacks are limited but the two vulnerabilities can be chained together and used to breach corporate networks. According to Microsoft, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. The threat actors chain the vulnerabilities together to deploy Chinese Chopper web shells on the compromised servers. This action allows them to move laterally to other systems within the victim’s networks. However, in order for an attacker to exploit either vulnerability, they will need authenticated access to the Exchange Server.

It’s suspected that a Chinese threat group is responsible for the current attacks based on two things:

The web shells’ code page - which is a Microsoft character encoding for simplified Chinese.
The threat actor manages the web shells with the Antsword Chinese open-source website admin tool.

Microsoft further stated that they are working on a timeline to release a fix for the zero-days, but they have provided mitigations and detections in the meantime. Microsoft is monitoring the detections for malicious activity and will provide updates for customers on their site.

If you are a Microsoft Exchange Online customer, you don’t need to take any action. However, on premises Microsoft Exchange customers should review and apply Microsoft’s URL Rewrite Instructions, as well as block exposed Remote PowerShell ports. Guidance for the Rewrite instructions can be found here.

How Avertium is Protecting Our Customers:

Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack.
Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.

Avertium's recommendations

According to Microsoft, blocking TCP ports 5985 and 5986 on your Exchange server will limit (if not prevent) attackers from chaining from the first vulnerability to the second.

Force connected users to log back into their accounts by de-authenticating logged-in email users. An attacker will not be able to reauthenticate easily unless they fully compromise the users account.
Enable behavioral endpoint threat detection on servers. It’s easier to catch the malware that will exploit the chain than it is to detect or stop it. This is due to the malware relying on a compromised authenticated session.
Follow Microsoft’s guidelines for detecting and mitigating CVE-2022-41040 and CVE-2022-41082.