Threat Response – Zero-day vulnerabilities in Microsoft Exchange

30-09-2022

A SAFE DIGITAL JOURNEY

On Friday, September 30th two zero-day vulnerabilities in the Microsoft Exchange Server 2013, 2016, and 2019 were identified [1][3]. These vulnerabilities potentially allow authenticated attackers to perform remote code execution using PowerShell on the on-premises Exchange server. Microsoft confirmed these zero-days, and it is currently being tracked publicly as CVE-2022-41040 (Server-Side Request Forgery) and CVE-2022-41082 (Remote Code Execution). The behaviour is widely recognised to mimic the ProxyShell vulnerability from 2021 [4]. The ProxyShell vulnerability (CVE-2021-34473) was used by attackers to bypass authentication on Exchange servers and perform remote code execution.

These vulnerabilities are not seen to affect Microsoft Exchange Online users. For the on-premises Exchange server users, a workaround has been published to block exposed Remote PowerShell ports [1].

At the moment the vulnerability is not yet widely exploited. However, this may change in the future. Actual attacks abusing the vulnerability have already been observed.

Risk

The vulnerability is currently not yet exploited on large scale. However, since the Exchange servers are exposed to the internet, vulnerable servers can become an easy target for attackers. Additionally, targeted attacks have been observed [5]. For this reason, we estimate the risk as high.

Impact

Successful exploitation of the vulnerability CVE-2022-41040 (Server-Side Request Forgery) could allow an already authenticated attacker to remotely execute code (CVE-2022-41082) on the on-premises Exchange servers. This zero-day vulnerability is actively exploited by attackers. For this reason, we estimate the impact as high.

Mitigation

Microsoft is currently working on a fix to patch these vulnerabilities. Meanwhile, for on-premises Microsoft Exchange users, Microsoft has advised the following workarounds:

  • Add a blocking rule [1] in in your Exchange Server to block the known attack pattern: “.*autodiscover\.json.*\@.*Powershell.*” in the {REQUEST_URI} field.
  • Block Remote PowerShell access to prevent authenticated attackers from abusing the second Remote Code Execution vulnerability (CVE-2022-41082) [1].

What should you do?

Make sure the mitigations listed above are followed through to limit the attack surface for the zero-days. Administrators who wish to check if their Exchange servers for signs of potential compromise can use the following PowerShell command to scan their Internet Information Services (IIS) log files [5].

Get-ChildItem -Recurse -Path  -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'

To identify the file path of IIS logs, the following command can be used:

Import-Module -Name WebAdministration(Get-ItemProperty -Path 'IIS:\Sites\Default Web Site' -Name logfile).directory

What will Northwave do?

For customers with EDRS based on Defender on Endpoint, Northwave will closely monitor for activity related to Web Shells in IIS servers and Exploitation of Exchange server vulnerabilities [1]. Moreover, we will use the Northwave SOC Defender Management application to actively detect any suspicious activity indicating the exploitation of these zero-days. If access to our Defender Management application is not arranged, please contact your Security Operations Manager (SOM) for instructions. For customers with EDRS based on ESET, active post-exploitation will be detected. We are also looking into additional capabilities to detect these attacks with ESET.

Furthermore, for non-EDRS customers, Northwave is deploying a Microsoft Sentinel use case based on Windows Security Events to detect WebShell activity on Exchange servers. Northwave will monitor developments around these vulnerabilities. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information, please reach out to us by phone or email.

E-mail: [email protected]

Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

[2]: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-new-exchange-zero-days-are-used-in-attacks/#:~:text=%22The%20first%20vulnerability%2C%20identified%20as,the%20attacker%2C%22%20Microsoft%20said.

[3]: https://advisories.ncsc.nl/advisory?id=NCSC-2022-0610

[4]: https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9

[5]: https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.