Context
On September 29, 2022, security researchers at GTSC reported the technical details of two zero-day vulnerabilities they had observed being exploited by threat actors since August 2022. Microsoft confirmed the vulnerabilities and provided details of both:
- CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day, CVE-2022-41082
- CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker
Microsoft notes that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.
Technical Details
According to GTSC researchers, the Zero Day Initiative (ZDI) scored CVE-2022-41040 as an 8.8 severity and CVE-2022-41082 as a 6.3 severity. MITRE and NIST have yet to post information about the vulnerabilities.
After exploitation, GTSC researchers observed threat actors collecting information, installing backdoors, moving laterally, and establishing footholds in target infrastructure. Researchers assessed that the threat actors were likely Chinese nationals due to the usage of the 936 webshell codepage, a Microsoft character encoding for simplified Chinese.
The researchers reported obfuscated webshells being dropped from Exchange servers.
Mitigation Options
GTSC provided the following defensive measures against the activity they reported:
GTSC Containment
- In Autodiscover at FrontEnd select tab URL Rewrite, select Request Blocking
- Add string “.*autodiscover.json.*@.*Powershell.*“ to the URL Path
- Condition input: Choose {REQUEST_URI}
GTSC Detection
To help organizations check if their Exchange Servers have been exploited by this bug yet, GTSC have released guideline and a tool to scan IIS log files (stored by default in the %SystemDrive%inetpublogsLogFiles folder ):
Method 1: Use powershell command:
Get-ChildItem -Recurse -Path -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover.json.*@.*200
Method 2: Use the tool developed by GTSC: Based on the exploit signature, we build a tool to search with much shorter time needed than using powershell. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner
Microsoft provided the following defensive measures against exploitation of the two vulnerabilities:
Microsoft Mitigation
Microsoft Exchange Online Customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports.
The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.
Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains.
- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String “.*autodiscover.json.*@.*Powershell.*” (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern “.*autodiscover.json.*@.*Powershell.*” and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}
Impact: There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.
Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.
- HTTP: 5985
- HTTPS: 5986
Microsoft Detection
Microsoft Sentinel
While we do not currently have a specific detection query for this issue, based on what we are seeing in the wild, these techniques will help defenders. Our post on Web Shell Threat Hunting with Microsoft Sentinel also provides valid guidance for looking for web shells in general.
The Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell, can be used for queries as there are similarities in function with this threat. Also, we have a new Exchange Server Suspicious File Downloads query which specifically looks for suspicious downloads in IIS logs. In addition to those, we have a few more that could be helpful in looking for post-exploitation activity:
- Web Shell Activity
- Malicious web application requests linked with Microsoft Defender for Endpoint alerts
- Exchange-iis-worker-dropping-webshell
- Web shell Detection
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint detects post-exploitation activity. The following alerts can be related to this threat:
- Possible web shell installation
- Possible IIS web shell
- Suspicious Exchange Process Execution
- Possible exploitation of Exchange Server vulnerabilities
- Suspicious processes indicative of a web shell
- Possible IIS compromise
Defender for Endpoint customers with Microsoft Defender Antivirus enabled can also detect the web shell malware used in in-the-wild exploitation of this vulnerability as of this writing with the following alerts:
- ‘Chopper’ malware was detected on an IIS Web server
- ‘Chopper’ high-severity malware was detected
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects the post exploitation malware used in current in-the-wild exploitation of this vulnerability as the following:
- Backdoor:ASP/Webshell.Y (Backdoor:ASP/Webshell.Y threat description – Microsoft Security Intelligence)
- Backdoor:Win32/RewriteHttp.A (Backdoor:Win32/RewriteHttp.A threat description – Microsoft Security Intelligence)
IOCs
GTSC researchers provided the following indicators of compromise (IOCs) for post-exploitation activity they observed:
| Indicator | Type | Notes |
| 137[.]184[.]67[.]33 | IP Address | C2 Server |
| hxxp://206[.]188[.]196[.]77:8080/themes.aspx | Domain | Malicious URL |
| 125[.]212[.]220[.]48 | IP Address | Malicious IP |
| 5[.]180[.]61[.]17 | IP Address | Malicious IP |
| 47[.]242[.]39[.]92 | IP Address | Malicious IP |
| 61[.]244[.]94[.]85 | IP Address | Malicious IP |
| 86[.]48[.]6[.]69 | IP Address | Malicious IP |
| 86[.]48[.]12[.]64 | IP Address | Malicious IP |
| 94[.]140[.]8[.]48 | IP Address | Malicious IP |
| 94[.]140[.]8[.]113 | IP Address | Malicious IP |
| 103[.]9[.]76[.]208 | IP Address | Malicious IP |
| 103[.]9[.]76[.]211 | IP Address | Malicious IP |
| 104[.]244[.]79[.]6 | IP Address | Malicious IP |
| 112[.]118[.]48[.]186 | IP Address | Malicious IP |
| 122[.]155[.]174[.]188 | IP Address | Malicious IP |
| 125[.]212[.]241[.]134 | IP Address | Malicious IP |
| 185[.]220[.]101[.]182 | IP Address | Malicious IP |
| 194[.]150[.]167[.]88 | IP Address | Malicious IP |
| 212[.]119[.]34[.]11 | IP Address | Malicious IP |
| c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 | SHA256 | Webshell File pxh4HG1v[.]ashx |
| 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5 | SHA256 | Webshell File RedirSuiteServiceProxy[.]aspx |
| b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca | SHA256 | Webshell File RedirSuiteServiceProxy[.]aspx |
| c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 | SHA256 | Webshell File Xml[.]ashx |
| be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257 | SHA256 | Webshell File errorEE[.]aspx |
| 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 | SHA256 | DLL file Dll[.]dll |
| 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 | SHA256 | DLL file Dll[.]dll |
| 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 | SHA256 | DLL file Dll[.]dll |
| 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 | SHA256 | DLL file Dll[.]dll |
| c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 | SHA256 | DLL file Dll[.]dll |
| 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e | SHA256 | DLL file Dump từ tiến trình Svchost[.]exe |
MITRE TTPs
GTSC researchers provided the following MITRE ATT&CK tactics, techniques, and procedures (TTPs) for post-exploitation activity they observed:
| ID | Tactic | Name |
| T1586.002 | Resource Development | Compromise Accounts: Email Accounts |
| T1059.003 | Execution | Command and Scripting Interpreter: Windows Command Shell |
| T1047 | Execution | Windows Management Instrumentation |
| T1505.003 | Persistence | Server Software Component: Web Shell |
| T1070.004 | Defense Evasion | Indicator Removal on Host: File Deletion |
| T1036.005 | Defense Evasion | Masquerading: Match Legitimate Name or Location |
| T1620 | Defense Evasion | Reflective Code Loading |
| T1003.001 | Credential Access | OS Credential Dumping: LSASS Memory |
| T1087 | Discovery | Account Discovery |
| T1083 | Discovery | File and Directory Discovery |
| T1057 | Discovery | Process Discovery |
| T1049 | Discovery | System Network Connections Discovery |
| T1570 | Lateral Movement | Lateral Tool Transfer |
| T1560.001 | Collection | Archive Collected Data: Archive via Utility |
