Categories
Cybersecurity Advisories

Microsoft Exchange Zero-Days (CVE-2022-41040 and CVE-2022-41082)

Update

10/4/2022 – Microsoft updated their blog with three mitigation options.

10/8/2022 – Updated mitigations. A correction was made to the string in step 6 and step 9 on the URL Rewrite rule mitigation Option 3.

Description

Two new zero-day vulnerabilities in Microsoft Exchange are actively being exploited in the wild. The first vulnerability is reported to be a Server-Side Request Forgery and is identified as CVE-2022-41040. The second allows remote code execution (RCE) when Powershell is accessible to the attacker and is identified as CVE-2022-41082. Microsoft informed that the two vulnerabilities have been collectively dubbed ProxyNotShell, mainly because “it is the same path and SSRF/RCE pair” as ProxyShell but with authentication, suggesting an incomplete patch. The two flaws are linked together in an exploit chain, with the Server-Side Request Forgery bug enabling an authenticated threat actor to remotely trigger arbitrary code execution.

  • CVE-2022-41040 (CVSS score: 8.8 High) – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-41082 (CVSS score: 8.8 High) – Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft emphasized that it’s working on an accelerated timeline to implement a solution, while urging on premises Microsoft Exchange customers to add an IIS Manager blocking rule as a short-term stopgap to mitigate potential threats.

According to Microsoft, Exchange Online customers do not need to take any action.

 

SecurIT360 SOC Managed Services

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:

MDR Services

  • We have added IPs known to exploit this vulnerability into our blocklists in our MDR solution, FortiSIEM.
  • Indicators are provided in the Indicators of Compromise section below if you would like to proactively block them in your firewall.

EDR Services

  • We have implemented known IoC information to help with detection. If we see activity related to these exploits, we will contact you directly.

We will be providing frequent updates. If you use on-prem exchange, please review the details below which provide mitigations and detections.

 

Mitigation

Although there is no official patch as of yet, Microsoft published a blog post detailing mitigation and detection steps.

To reduce the risk of exploitation, Microsoft proposed blocking the known attack patterns through a rule in the IIS Manager:

  1. Open IIS Manager
  2. Select Default Web Site
  3. In the Feature View, click URL Rewrite
  4. In the Actions pane on the right-hand side, click Add Rule(s)…
  5. Select Request Blocking and click OK
  6. Add the string “(?=.*autodiscover)(?=.*powershell)” (excluding quotes).
  7. Select Regular Expression under Using.
  8. Select Abort Request under How to block and then click OK.
  9. Expand the rule and select the rule with the pattern: (?=.*autodiscover)(?=.*powershell) and click Edit under Conditions.
  10. Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK.
  11. Additionally, Microsoft recommends disabling remote PowerShell access for non-admin users. The operation should take less than five minutes and the restriction can be enforced for only one or multiple users.

Detection and Advanced Hunting

For detection and advanced hunting guidance, customers should reference Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082.

Indicators of Compromise (IoCs)

Hash (SHA256):

c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1

65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5

b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca

be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257

074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82

45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9

9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0

29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3

c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

IP:

125[.]212[.]220[.]48

5[.]180[.]61[.]17

47[.]242[.]39[.]92

61[.]244[.]94[.]85

86[.]48[.]6[.]69

86[.]48[.]12[.]64

94[.]140[.]8[.]48

94[.]140[.]8[.]113

103[.]9[.]76[.]208

103[.]9[.]76[.]211

104[.]244[.]79[.]6

112[.]118[.]48[.]186

122[.]155[.]174[.]188

125[.]212[.]241[.]134

185[.]220[.]101[.]182

194[.]150[.]167[.]88

212[.]119[.]34[.]11

C2:

137[.]184[.]67[.]33

URL:

hxxp://206[.]188[.]196[.]77:8080/themes.aspx

MITRE Summary

TacticIDName
Resource DevelopmentT1586.002Compromise Accounts: Email Accounts
ExecutionT1059.003Command and Scripting Interpreter: Windows Command Shell
ExecutionT1047Windows Management Instrumentation
PersistenceT1505.003Server Software Component: Web Shell
Defense EvasionT1070.004Indicator Removal on Host: File Deletion
Defense EvasionT1036.005Masquerading: Match Legitimate Name or Location
Defense EvasionT1620Reflective Code Loading
Credential AccessT1003.001OS Credential Dumping: LSASS Memory
DiscoveryT1087Account Discovery
DiscoveryT1083File and Directory Discovery
DiscoveryT1057Process Discovery
DiscoveryT1049System Network Connections Discovery
Lateral MovementT1570Lateral Tool Transfer
CollectionT1560.001Archive Collected Data: Archive via Utility

Resources & Related Articles