Vulnerability Alert: Microsoft Exchange Double Zero-Day Vulnerabilities

leadership team img1

By Michelle Drolet

Founder & CEO

Ms. Drolet is responsible for all aspects of business for Towerwall. She has more than 24 years of,

Read More

What You Need to Know:

There are two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and CVE-2022-41082 is a vulnerability that allows for remote code execution when PowerShell is accessible to a threat actor.

Microsoft stated that the current attacks are limited but the two vulnerabilities can be chained together and used to breach corporate networks. According to Microsoft, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. The threat actors chain the vulnerabilities together to deploy Chinese Chopper web shells on the compromised servers. This action allows them to move laterally to other systems within the victim’s networks. However, in order for an attacker to exploit either vulnerability, they will need authenticated access to the Exchange Server.

It’s suspected that a Chinese threat group is responsible for the current attacks based on two things:  

  1. The web shells’ code page – which is a Microsoft character encoding for simplified Chinese.
  2. The threat actor manages the web shells with the Antsword Chinese open-source website admin tool.

Microsoft further stated that they are working on a timeline to release a fix for the zero-days, but they have provided mitigations and detections in the meantime. Microsoft is monitoring the detections for malicious activity and will provide updates for customers on their site.

If you are a Microsoft Exchange Online customer, you don’t need to take any action. However, on premises Microsoft Exchange customers should review and apply Microsoft’s URL Rewrite Instructions, as well as block exposed Remote PowerShell ports. Guidance for the Rewrite instructions can be found here.  

Microsoft Exchange Double Zero Day Vulnerabilities

 Towerwall Recommendations:

  • According to Microsoft, blocking TCP ports 5985 and 5986 on your Exchange server will limit (if not prevent) attackers from chaining from the first vulnerability to the second.
  • Force connected users to log back into their accounts by de-authenticating logged-in email users. An attacker will not be able to reauthenticate easily unless they fully compromise the users account.
  • Enable behavioral endpoint threat detection on servers. It’s easier to catch the malware that will exploit the chain than it is to detect or stop it. This is due to the malware relying on a compromised authenticated session.
  • Follow Microsoft’s guidelines for detecting and mitigating CVE-2022-41040 and CVE-2022-41082.

Indicators of Compromise (IoCs):

CVE-2022-41040 & CVE-2022-41082

  • 122[.]155[.]174[.]188
  • 125[.]212[.]241[.]134
  • 137[.]184[.]67[.]33
  • 194[.]150[.]167[.]88
  • 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
  • 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
  • 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
  • 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
  • 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
  • 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
  • b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
  • be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
  • c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
  • c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
  • 103[.]9[.]76[.]208
  • 103[.]9[.]76[.]211
  • 112[.]118[.]48[.]186
  • 125[.]212[.]220[.]48
  • 206[.]188[.]196[.]77
  • 212[.]119[.]34[.]11
  • 47[.]242[.]39[.]92
  • 5[.]180[.]61[.]17
  • 61[.]244[.]94[.]85
  • 86[.]48[.]12[.]64
  • 86[.]48[.]6[.]69
  • 94[.]140[.]8[.]113
  • 94[.]140[.]8[.]48
  • hxxp://206[.]188[.]196[.]77:8080/themes[.]aspx

Supporting Documentation:

If you have any questions about this vulnerability or your information security needs, please contact me directly at 774-204-0700.