Two Microsoft Exchange Zero-Days Being Exploited In-The-Wild

Two newly discovered zero-day vulnerabilities in Microsoft Exchange that could allow threat actors to execute code remotely are being leveraged in active attacks.
Two Microsoft Exchange Zero-Days Being Exploited In-The-Wild

Context

On September 29, 2022, security researchers at GTSC reported the technical details of two zero-day vulnerabilities they had observed being exploited by threat actors since August 2022. Microsoft confirmed the vulnerabilities and provided details of both:

  • CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day, CVE-2022-41082
  • CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker

Microsoft notes that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.

Technical Details

According to GTSC researchers, the Zero Day Initiative (ZDI) scored CVE-2022-41040 as an 8.8 severity and CVE-2022-41082 as a 6.3 severity. MITRE and NIST have yet to post information about the vulnerabilities.

After exploitation, GTSC researchers observed threat actors collecting information, installing backdoors, moving laterally, and establishing footholds in target infrastructure. Researchers assessed that the threat actors were likely Chinese nationals due to the usage of the 936 webshell codepage, a Microsoft character encoding for simplified Chinese.

The researchers reported obfuscated webshells being dropped from Exchange servers.

Mitigation Options

GTSC provided the following defensive measures against the activity they reported:

GTSC Containment

  • In Autodiscover at FrontEnd select tab URL Rewrite, select Request Blocking
  • Add string “.*autodiscover.json.*@.*Powershell.*“ to the URL Path
  • Condition input: Choose {REQUEST_URI}

GTSC Detection

To help organizations check if their Exchange Servers have been exploited by this bug yet, GTSC have released guideline and a tool to scan IIS log files (stored by default in the %SystemDrive%inetpublogsLogFiles folder ):

Method 1: Use powershell command:
Get-ChildItem -Recurse -Path -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover.json.*@.*200

Method 2: Use the tool developed by GTSC: Based on the exploit signature, we build a tool to search with much shorter time needed than using powershell. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner

Microsoft provided the following defensive measures against exploitation of the two vulnerabilities:

Microsoft Mitigation

Microsoft Exchange Online Customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports.

The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.

Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains.

  • Open the IIS Manager.
  • Expand the Default Web Site.
  • Select Autodiscover.
  • In the Feature View, click URL Rewrite.
  • In the Actions pane on the right-hand side, click Add Rules.
  • Select Request Blocking and click OK.
  • Add String “.*autodiscover.json.*@.*Powershell.*” (excluding quotes) and click OK.
  • Expand the rule and select the rule with the Pattern “.*autodiscover.json.*@.*Powershell.*” and click Edit under Conditions.
  • Change the condition input from {URL} to {REQUEST_URI}

Impact: There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.

Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.

  • HTTP: 5985
  • HTTPS: 5986

Microsoft Detection

Microsoft Sentinel

While we do not currently have a specific detection query for this issue, based on what we are seeing in the wild, these techniques will help defenders. Our post on Web Shell Threat Hunting with Microsoft Sentinel also provides valid guidance for looking for web shells in general.

The Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell, can be used for queries as there are similarities in function with this threat. Also, we have a new Exchange Server Suspicious File Downloads query which specifically looks for suspicious downloads in IIS logs. In addition to those, we have a few more that could be helpful in looking for post-exploitation activity:

Microsoft Defender for Endpoint
Microsoft Defender for Endpoint detects post-exploitation activity. The following alerts can be related to this threat:

  • Possible web shell installation
  • Possible IIS web shell
  • Suspicious Exchange Process Execution
  • Possible exploitation of Exchange Server vulnerabilities
  • Suspicious processes indicative of a web shell
  • Possible IIS compromise

Defender for Endpoint customers with Microsoft Defender Antivirus enabled can also detect the web shell malware used in in-the-wild exploitation of this vulnerability as of this writing with the following alerts:

  • ‘Chopper’ malware was detected on an IIS Web server
  • ‘Chopper’ high-severity malware was detected

Microsoft Defender Antivirus
Microsoft Defender Antivirus detects the post exploitation malware used in current in-the-wild exploitation of this vulnerability as the following:

IOCs

GTSC researchers provided the following indicators of compromise (IOCs) for post-exploitation activity they observed:

Indicator Type Notes
137[.]184[.]67[.]33 IP Address C2 Server
hxxp://206[.]188[.]196[.]77:8080/themes.aspx Domain Malicious URL
125[.]212[.]220[.]48 IP Address Malicious IP
5[.]180[.]61[.]17 IP Address Malicious IP
47[.]242[.]39[.]92 IP Address Malicious IP
61[.]244[.]94[.]85 IP Address Malicious IP
86[.]48[.]6[.]69 IP Address Malicious IP
86[.]48[.]12[.]64 IP Address Malicious IP
94[.]140[.]8[.]48 IP Address Malicious IP
94[.]140[.]8[.]113 IP Address Malicious IP
103[.]9[.]76[.]208 IP Address Malicious IP
103[.]9[.]76[.]211 IP Address Malicious IP
104[.]244[.]79[.]6 IP Address Malicious IP
112[.]118[.]48[.]186 IP Address Malicious IP
122[.]155[.]174[.]188 IP Address Malicious IP
125[.]212[.]241[.]134 IP Address Malicious IP
185[.]220[.]101[.]182 IP Address Malicious IP
194[.]150[.]167[.]88 IP Address Malicious IP
212[.]119[.]34[.]11 IP Address Malicious IP
c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 SHA256 Webshell File pxh4HG1v[.]ashx
65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5 SHA256 Webshell File RedirSuiteServiceProxy[.]aspx
b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca SHA256 Webshell File RedirSuiteServiceProxy[.]aspx
c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 SHA256 Webshell File Xml[.]ashx
be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257 SHA256 Webshell File errorEE[.]aspx
074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 SHA256 DLL file Dll[.]dll
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 SHA256 DLL file Dll[.]dll
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 SHA256 DLL file Dll[.]dll
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 SHA256 DLL file Dll[.]dll
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 SHA256 DLL file Dll[.]dll
76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e SHA256 DLL file Dump từ tiến trình Svchost[.]exe

MITRE TTPs

GTSC researchers provided the following MITRE ATT&CK tactics, techniques, and procedures (TTPs) for post-exploitation activity they observed:

ID Tactic Name
T1586.002 Resource Development Compromise Accounts: Email Accounts
T1059.003 Execution Command and Scripting Interpreter: Windows Command Shell
T1047 Execution Windows Management Instrumentation
T1505.003 Persistence Server Software Component: Web Shell
T1070.004 Defense Evasion Indicator Removal on Host: File Deletion
T1036.005 Defense Evasion Masquerading: Match Legitimate Name or Location
T1620 Defense Evasion Reflective Code Loading
T1003.001 Credential Access OS Credential Dumping: LSASS Memory
T1087 Discovery Account Discovery
T1083 Discovery File and Directory Discovery
T1057 Discovery Process Discovery
T1049 Discovery System Network Connections Discovery
T1570 Lateral Movement Lateral Tool Transfer
T1560.001 Collection Archive Collected Data: Archive via Utility

More Recent Blog Posts