Skip to content

Microsoft confirms new Exchange zero-days are used in attacks


    Microsoft Exchange

    Microsoft has confirmed that two recently reported zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 are being exploited in the wild.

    “The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” Microsoft said.

    “At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.”

    The company added that the CVE-2022-41040 flaw could only be exploited by authenticated attackers. Successful exploitation then allows them to trigger the CVE-2022-41082 RCE vulnerability.

    Microsoft Exchange Online Customers do not need to take any action at the moment because the zero-days only impact on-premises Microsoft Exchange instances.

    “We are working on an accelerated timeline to release a fix. Until then, we’re providing the mitigations and detections guidance below to help customers protect themselves from these attacks,” Microsoft added.

    According to Vietnamese cybersecurity outfit GTSC, who first reported the ongoing attacks, the zero-days are chained to deploy Chinese Chopper web shells for persistence and data theft and to move laterally through the victims’ networks.

    GTSC also suspects that a Chinese threat group might be responsible for the ongoing attacks based on the web shells’ code page, a Microsoft character encoding for simplified Chinese.

    The threat group also manages the web shells with the Antsword Chinese open-source website admin tool, as revealed by the user agent used to install them on compromised servers.

    Mitigation available

    Redmond has also confirmed mitigation measures shared yesterday by GTSC, whose security researchers also reported the two flaws to Microsoft privately through the Zero Day Initiative three weeks ago.

    “On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports,” Microsoft added.

    “The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”

    To apply the mitigation to vulnerable servers, you will need to go through the following steps:

    1. Open the IIS Manager.
    2. Expand the Default Web Site.
    3. Select Autodiscover.
    4. In the Feature View, click URL Rewrite.
    5. In the Actions pane on the right-hand side, click Add Rules.
    6. Select Request Blocking and click OK.
    7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
    8. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
    9. Change the condition input from {URL} to {REQUEST_URI}

    Since the threat actors can also gain access to PowerShell Remoting on exposed and vulnerable Exchange servers for remote code execution via CVE-2022-41082 exploitation, Microsoft also advises admins to block the following Remote PowerShell ports to hinder the attacks:

    GTSC said yesterday that admins who want to check if their Exchange servers have already been compromised could run the following PowerShell command to scan IIS log files for indicators of compromise:

    Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'


    Source link