Update: Threat Response – Zero-day vulnerabilities in Microsoft Exchange

04-10-2022

A SAFE DIGITAL JOURNEY

On Friday, September 30th two zero-day vulnerabilities in the Microsoft Exchange Server 2013, 2016, and 2019 were identified [1][3]. Northwave has informed you of this in a previous Threat Response. In the meantime researchers discovered that the earlier mentioned mitigation is not sufficient[2].

These vulnerabilities are not seen to affect Microsoft Exchange Online users. However, if a hybrid setup with on-premise Exchange is used the setup is still vulnerable.

Mitigation

Microsoft has advised a workaround earlier, however this seems not to be effective. If you already applied the workaround mentioned in our previous Threat Response please update the attack pattern in the blocking rule. If you did not apply any workarounds yet please apply the following:

  • Add a blocking rule [2] in in your Exchange Server to block the known attack pattern: “.*autodiscover\.json.*Powershell.*” in the {REQUEST_URI} field.
  • Block Remote PowerShell access to prevent authenticated attackers from abusing the second Remote Code Execution vulnerability (CVE-2022-41082) [1].

Be aware that the linked Microsoft documentation[2] still mentions the previous attack pattern. Note: The impact of this rule is not fully known at this moment, several Twitter messages[4][5] suggest this change stops the Outlook client from working properly. However, other messages do not report this problem. Northwave recommends reviewing whether the Outlook client still works after applying the new rule.

What will Northwave do?

For EDRS customers with Defender for Endpoint, Northwave has already implemented monitoring use cases to detect web-shell activity on Exchange IIS servers. For EDRS customers with ESET, post-exploitation activities will be detected and blocked by ESET. For IDRS customers with Microsoft Sentinel, Northwave has implemented a use case based on Windows Security Events to detect the web shell activity. Furthermore, for customers with the Northwave NIDS setup, network traffic monitoring for possible exploitation signatures has been implemented.

We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

[2]: https://www.bleepingcomputer.com/news/security/microsoft-exchange-server-zero-day-mitigation-can-be-bypassed/

[3]: https://advisories.ncsc.nl/advisory?id=NCSC-2022-0610

[4]: https://twitter.com/wdormann/status/1577020025583841281

[5]:  https://twitter.com/SysElement/status/1576930819901657089

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.