Customer Advisory | Microsoft Exchange Zero-day Vulnerabilities CVE-2022-41040 and CVE-2022-41082, Actively Exploited
By Deepwatch Threat Intelligence Team,
Updated 7 October to reflect the products these vulnerabilities affect.
What You Need to Know
- Multiple reports that new Microsoft Exchange Zero-Day Vulnerabilities (CVE-2022-41040 and CVE-2022-41082) are being actively exploited in limited, targeted attacks by suspected Chinese Nation State Threat Actors
- These vulnerabilities, which affect Exchange Servers 2013, 2016, and 2019, could allow an already authenticated threat actor remote code execution (RCE) to deploy a backdoor to the system, such as a web shell for further intrusion into the environment
- Due to lack of patches (Zero-day) Microsoft recommends mitigations via configuration to configure a URL rewrite and block exposed remote PowerShell ports. Guidance is outlined in the Microsoft Blog Post
What You Need to Do
- Identify your organization’s externally accessible (Internet Facing) Microsoft Exchange Servers.
- Depending on your organization’s risk appetite consider these risk reduction measures:
- Remove external access to the Outlook Web App until a patch is released by Microsoft and the system is fully patched.
- Perform the mitigation steps detailed in Microsoft Blog Post to break the attack chain required for successful exploitation.
- Ensure host-based security protection software such as Endpoint Detection and Response (EDR) or Anti-Virus (AV) is currently installed and functioning properly on Microsoft Exchange servers.
- Be vigilant on security alerting activity sourcing from Internet exposed Microsoft Exchange servers especially alerts indicating web shell activity.
- Consider utilizing Microsoft’s cloud technologies such as O365 for office productivity.
What Deepwatch is Doing
- Working to identify and contact customers with externally facing on-prem exchange servers.
- Evaluating detection strategy for this exploitation.
- Searching for signs of exploitation across our customer base.
- Awaiting signature updates from firewall vendors to identify and block the traffic.
- Awaiting plugin updates from vulnerability management vendors to confirm affected assets.
- Managed EDR Customers:
- EDR Engineers are working with EDR vendors to verify protection(s) available.
- EDR Engineers are monitoring for potential policy updates and/or searches to incorporate for added detection capability.
On September 30, Microsoft confirmed two zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) for Microsoft Exchange (On-Prem and Hybrid Servers). GTSC, a Vietnamese cybersecurity company, was the first to report the identification of these vulnerabilities and incident activity. With authenticated access, these vulnerabilities can be chained together to facilitate remote access to deploy backdoors on the affected systems. It is important to note that exploitation of these vulnerabilities requires the attacker to authenticate prior to exploitation. Current reports indicate China Chopper WebShell deployment as a part of this attack chain.
As of September 30, multiple organizations are reporting active exploitation. These vulnerabilities appear to affect systems with the latest patches. Microsoft has not yet released a patch to resolve these vulnerabilities, but has released a blog post detailing mitigations Microsoft Blog Post.
The vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082“, affect Microsoft on-premise Exchange servers. These vulnerabilities have been CVSS rated as 8.8 and 6.3 per the Zero-day Initiative. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability. If PowerShell is accessible to the attacker, CVE-2022-41082 facilitates remote code execution (RCE). As these are newly identified vulnerabilities with no available patch, they are classified as zero-days vulnerabilities.
Analyst Note: Once a patch is released, it is highly likely that the patch will be analyzed and reverse engineered to build exploit code. Deepwatch recommends properly testing and deploying the patch as quickly as possible when it becomes available.
This vulnerability affects the following Microsoft products:
- Microsoft Exchange Hybrid Deployment Servers
- Microsoft Exchange On-premise Servers
As of this time, Deepwatch is not aware of any publicly available proof-of-concept (POC) exploit code; however, there are reports of active exploitation.
Attack Chain: *As understood based on current public details.
- Gain authenticated access to the vulnerable system
- Requires the attacker to obtain credentials
- Perform a Server-Side Request Forgery exploit via CVE-2022-41040
- Exploit CVE-2022-41082
- Requires PowerShell Access
- Creates Webshell on affected system for additional interaction
Analyst Note: Threat actors are likely acquiring credentials to obtain authenticated access via a variety of avenues, including but not limited to Phishing/Credential Harvesting.
Be On the Lookout (BOLO) and Monitor Logs For
- Exchange/IIS web log entries (POST requests) with a URL containing: “*powershell*autodiscover.json*@*” with 200 status code
- PowerShell query for local check:
- Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’
- PowerShell query for local check:
- Exchange/IIS web log entries with user agents containing the string “Antsword”
- This user agent is associated with “an active Chinese-based opensource cross-platform website administration tool that supports webshell management” (source: gteltsc[.]vn)
- Addition of .aspx files to web directories & subsequent inbound traffic to them (webshell installation/usage)
- Creation/modification of RedirSuiteServiceProxy.aspx, Xml.ashx, pxh4HG1v.ashx, errorEE.aspx
- EXCHANGE process spawning powershell.exe, cmd.exe, or other rare child processes (based on executable or command line)
- rar.exe or certutil.exe activity in 4688 process logs on Exchange Servers
- rar.exe is used to compress/collect files for exfiltration
- certutil.exe is used to download remote files for further exploitation/persistence
- Presence of “echo [S]&cd&echo [E]” in 4688 commandline data (Signature of ChinaChopper)
- New executables being run (historically anomalous in 4688 process logs)
- Presence/usage of following files
- Presence/usage of following files
Microsoft Exchange servers have been observed in high-profile attacks over the past couple years with similar attack chains leading to deployment of web shells for persistent access. A previous Microsoft Exchange significant cyber event involved Hafium (Chinese APT Threat Actor) with an eventual release of exploit code to the public that led to mass exploitation of ProxyLogon and ProxyShell by various Threat Actors to include ransomware gangs. This latest set of vulnerabilities reportedly require initial authentication access for successful exploitation which limits exploitation exposure for these vulnerabilities. As a result of these recurring attack patterns over the past few years, it is recommended that organizations consider utilizing Microsoft cloud technologies such as O365 for email services.
Customers and organizations are encouraged to implement the guidance and recommendations set out in the “What You Need to Do” section above.
Deepwatch, a leader in managed security services, protects our customers from ever-increasing cyber threats 24/7/365. Powered by curated threat intelligence produced by our Threat Intel Team, our cloud-based security operations platform provides the industry’s most comprehensive detection and automated response to cyber threats. In addition, dedicated experts provide our tailored guidance to mitigate risk and measurably improve security posture. As a result, hundreds of organizations, from Fortune 100 to mid-sized enterprises, trust Deepwatch to protect their business. Visit www.deepwatch.com to learn more.