Vulnerability Alert: Microsoft Exchange Double Zero-Day Vulnerabilities
What You Need to Know:
There are two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and CVE-2022-41082 is a vulnerability that allows for remote code execution when PowerShell is accessible to a threat actor.
Microsoft stated that the current attacks are limited but the two vulnerabilities can be chained together and used to breach corporate networks. According to Microsoft, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. The threat actors chain the vulnerabilities together to deploy Chinese Chopper web shells on the compromised servers. This action allows them to move laterally to other systems within the victim’s networks. However, in order for an attacker to exploit either vulnerability, they will need authenticated access to the Exchange Server.
It’s suspected that a Chinese threat group is responsible for the current attacks based on two things:
- The web shells’ code page – which is a Microsoft character encoding for simplified Chinese.
- The threat actor manages the web shells with the Antsword Chinese open-source website admin tool.
Microsoft further stated that they are working on a timeline to release a fix for the zero-days, but they have provided mitigations and detections in the meantime. Microsoft is monitoring the detections for malicious activity and will provide updates for customers on their site.
If you are a Microsoft Exchange Online customer, you don’t need to take any action. However, on premises Microsoft Exchange customers should review and apply Microsoft’s URL Rewrite Instructions, as well as block exposed Remote PowerShell ports. Guidance for the Rewrite instructions can be found here.
Towerwall Recommendations:
- According to Microsoft, blocking TCP ports 5985 and 5986 on your Exchange server will limit (if not prevent) attackers from chaining from the first vulnerability to the second.
- Force connected users to log back into their accounts by de-authenticating logged-in email users. An attacker will not be able to reauthenticate easily unless they fully compromise the users account.
- Enable behavioral endpoint threat detection on servers. It’s easier to catch the malware that will exploit the chain than it is to detect or stop it. This is due to the malware relying on a compromised authenticated session.
- Follow Microsoft’s guidelines for detecting and mitigating CVE-2022-41040 and CVE-2022-41082.
Indicators of Compromise (IoCs):
CVE-2022-41040 & CVE-2022-41082
- 122[.]155[.]174[.]188
- 125[.]212[.]241[.]134
- 137[.]184[.]67[.]33
- 194[.]150[.]167[.]88
- 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
- 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
- 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
- 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
- 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
- 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
- b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
- be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
- c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
- c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
- 103[.]9[.]76[.]208
- 103[.]9[.]76[.]211
- 112[.]118[.]48[.]186
- 125[.]212[.]220[.]48
- 206[.]188[.]196[.]77
- 212[.]119[.]34[.]11
- 47[.]242[.]39[.]92
- 5[.]180[.]61[.]17
- 61[.]244[.]94[.]85
- 86[.]48[.]12[.]64
- 86[.]48[.]6[.]69
- 94[.]140[.]8[.]113
- 94[.]140[.]8[.]48
- hxxp://206[.]188[.]196[.]77:8080/themes[.]aspx
Supporting Documentation:
- Microsoft confirms new Exchange zero-days are used in attacks (bleepingcomputer.com)
- URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different” – Naked Security (sophos.com)
- Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center
- New Microsoft Exchange zero-days actively exploited in attacks (bleepingcomputer.com)
If you have any questions about this vulnerability or your information security needs, please contact me directly at 774-204-0700.