On September 29, 2022, a Vietnamese cybersecurity firm GTSC, published a blog to expose two zero-day vulnerabilities with Microsoft Exchange Server. These vulnerabilities were actually discovered in early August 2022 by GTSC, who submitted them to the Zero Day Initiative to work with Microsoft to develop necessary patches and mitigation guidance.
Typically, these zero-day vulnerabilities are kept under wraps to allow the targeted organization, in this case Microsoft, time to address them and publish patches. However, GTSC discovered evidence of attacks using these vulnerabilities in the wild, so decided to announce them for the public good to help stop further attacks to Microsoft Exchange email systems even before Microsoft is able to provide official patches. The risk is that bad actors will exploit these vulnerabilities to launch attacks before patches are available, but the reward is that organizations can now take steps to monitor and address any threats to their IT environments since attacks are already underway.
WHAT ARE THESE ZERO-DAY VULNERABILITIES?
Microsoft published a blog on September 30, 2022 acknowledging the two zero-day vulnerabilities being used in “limited targeted attacks” with on-premises Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 that face the Internet. Microsoft stated that Exchange Online customers are not impacted, but customers running Exchange hybrid servers with Outlook Web Access (OWA) may be at risk. It is estimated that hundreds of thousands of organizations use Microsoft Exchange, while many more are using Exchange Online.
The first zero-day, CVE-2022-41040, is a server-side request forgery (SSRF) flaw that allows authenticated attackers to make requests by posing as an affected machine. The second one, CVE-2022-41082, is a remote code execution (RCE) vulnerability when Exchange PowerShell is accessible to attackers. These vulnerabilities can be used to access a victim’s systems, enabling bad actors to drop web shells and employ lateral movement across the compromised network. Of note is that authentication by any email user can exploit these vulnerabilities, without the need for administrator credentials.
These two zero-day vulnerabilities can be exploited independently or chained together, where CVE-2022-41040 can enable authenticated attackers to remotely trigger CVE-2022-41082 arbitrary code execution. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.
WHO IS BEHIND THESE ZERO-DAYS?
GTSC had detected web shells applied to Exchange servers using “Antsword, an active Chinese-based open source cross-platform website administration tool that supports web shell management”. The firm suspected that the attacks are likely originating from a Chinese attack group since the web shell’s encoding was in simplified Chinese, and the group deployed the China Chopper web shell, which is commonly used by Chinese attackers to remotely control web servers.
OUR SECURITY EXPERTS ARE ON IT
Pondurance Managed Detection and Response (MDR) services are committed to stopping cyberattacks before they can do harm to our clients’ organizations. Our team of security analysts, threat hunters, cyber threat intelligence analysts and incident responders have been tracking these two zero-day vulnerabilities with Microsoft Exchange Server and monitoring for the identified indicators of compromise (IOCs).
The security experts that staff the Pondurance Security Operations Center (SOC) 24/7/365 communicate with clients continually through our Scope platform, which provides clients with two-way collaboration into alerts, threat intelligence and response actions. It was here that we began communicating what we were seeing with these zero-day vulnerabilities, and where we can receive and respond to specific questions or concerns as they arise.
WHAT CAN YOU DO NOW?
Microsoft has indicated that they are working as quickly as they can to publish patches to their Exchange Servers and urged on-premises Microsoft Exchange customers to add a blocking rule in Internet Information Services (IIS) Manager as a temporary workaround to mitigate potential threats.
In the absence of official patches, your organization should check your environments for signs of exploitation and then apply the emergency mitigation steps.
Detect the Exploitation
GTSC recommended that organizations should check if their Exchange Servers have already been compromised by running this PowerShell command: Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*Autodiscover\.json.*\@.*200
The cybersecurity firm has also developed a search tool for signs of exploitation and released it on GitHub. In addition, Microsoft provided guidance on using its own security tools, such as Microsoft Sentinel, Microsoft Defender for Endpoint and Microsoft Defender Antivirus, to detect the exploitation.
Mitigate the Vulnerabilities
Until Microsoft releases the official patches, it recommended the following steps to mitigate exploitation to your on-premises Exchange Servers:
- Add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns. Exchange Server customers should review and choose only one of the following three mitigation options.
- Option 1: For customers who have the Exchange Server Emergency Mitigation Service (EMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically.
- Option 2: Microsoft created this script for the URL Rewrite mitigation steps.
- Option 3: Customers can follow these detailed steps in Microsoft’s blog to add the blocking rule to break current attack chains.
Microsoft stated that Exchange Online customers are not affected and do not need to take any action. However, organizations using Exchange Online are likely to have hybrid Exchange environments, with a mix of on-premises and cloud systems, therefore, you should follow the above guidance to protect your on-premises servers, if this applies to your environment.
WE’LL KEEP YOU UPDATED
As thousands of Microsoft Exchange Server customers await the official patches to these exploits, Pondurance clients can have peace of mind that our SOC team is working around-the-clock to protect you from these and many other cyber threats. We’ll provide updates through our Scope platform and blogs as necessary to address these Microsoft Exchange Server zero-day vulnerabilities.