Update
10/4/2022 – Microsoft updated their blog with three mitigation options.
10/8/2022 – Updated mitigations. A correction was made to the string in step 6 and step 9 on the URL Rewrite rule mitigation Option 3.
Description
Two new zero-day vulnerabilities in Microsoft Exchange are actively being exploited in the wild. The first vulnerability is reported to be a Server-Side Request Forgery and is identified as CVE-2022-41040. The second allows remote code execution (RCE) when Powershell is accessible to the attacker and is identified as CVE-2022-41082. Microsoft informed that the two vulnerabilities have been collectively dubbed ProxyNotShell, mainly because “it is the same path and SSRF/RCE pair” as ProxyShell but with authentication, suggesting an incomplete patch. The two flaws are linked together in an exploit chain, with the Server-Side Request Forgery bug enabling an authenticated threat actor to remotely trigger arbitrary code execution.
- CVE-2022-41040 (CVSS score: 8.8 High) – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41082 (CVSS score: 8.8 High) – Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft emphasized that it’s working on an accelerated timeline to implement a solution, while urging on premises Microsoft Exchange customers to add an IIS Manager blocking rule as a short-term stopgap to mitigate potential threats.
According to Microsoft, Exchange Online customers do not need to take any action.
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:
MDR Services
- We have added IPs known to exploit this vulnerability into our blocklists in our MDR solution, FortiSIEM.
- Indicators are provided in the Indicators of Compromise section below if you would like to proactively block them in your firewall.
EDR Services
- We have implemented known IoC information to help with detection. If we see activity related to these exploits, we will contact you directly.
We will be providing frequent updates. If you use on-prem exchange, please review the details below which provide mitigations and detections.
Mitigation
Although there is no official patch as of yet, Microsoft published a blog post detailing mitigation and detection steps.
To reduce the risk of exploitation, Microsoft proposed blocking the known attack patterns through a rule in the IIS Manager:
- Open IIS Manager
- Select Default Web Site
- In the Feature View, click URL Rewrite
- In the Actions pane on the right-hand side, click Add Rule(s)…
- Select Request Blocking and click OK
- Add the string “(?=.*autodiscover)(?=.*powershell)” (excluding quotes).
- Select Regular Expression under Using.
- Select Abort Request under How to block and then click OK.
- Expand the rule and select the rule with the pattern: (?=.*autodiscover)(?=.*powershell) and click Edit under Conditions.
- Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK.
- Additionally, Microsoft recommends disabling remote PowerShell access for non-admin users. The operation should take less than five minutes and the restriction can be enforced for only one or multiple users.
Detection and Advanced Hunting
For detection and advanced hunting guidance, customers should reference Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082.
Indicators of Compromise (IoCs)
Hash (SHA256):
c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
IP:
125[.]212[.]220[.]48
5[.]180[.]61[.]17
47[.]242[.]39[.]92
61[.]244[.]94[.]85
86[.]48[.]6[.]69
86[.]48[.]12[.]64
94[.]140[.]8[.]48
94[.]140[.]8[.]113
103[.]9[.]76[.]208
103[.]9[.]76[.]211
104[.]244[.]79[.]6
112[.]118[.]48[.]186
122[.]155[.]174[.]188
125[.]212[.]241[.]134
185[.]220[.]101[.]182
194[.]150[.]167[.]88
212[.]119[.]34[.]11
C2:
137[.]184[.]67[.]33
URL:
hxxp://206[.]188[.]196[.]77:8080/themes.aspx
MITRE Summary
| Tactic | ID | Name |
| Resource Development | T1586.002 | Compromise Accounts: Email Accounts |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Execution | T1047 | Windows Management Instrumentation |
| Persistence | T1505.003 | Server Software Component: Web Shell |
| Defense Evasion | T1070.004 | Indicator Removal on Host: File Deletion |
| Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or Location |
| Defense Evasion | T1620 | Reflective Code Loading |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory |
| Discovery | T1087 | Account Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1049 | System Network Connections Discovery |
| Lateral Movement | T1570 | Lateral Tool Transfer |
| Collection | T1560.001 | Archive Collected Data: Archive via Utility |
Resources & Related Articles
- https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
- https://thehackernews.com/2022/10/state-sponsored-hackers-likely.html
- https://nakedsecurity.sophos.com/2022/09/30/urgent-microsoft-exchange-double-zero-day-like-proxyshell-only-different/
- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
