- 220/2022
- Critical
Security researchers have detected Microsoft Exchange zero-day vulnerabilities allowing for remote code execution. These vulnerabilities are so critical that they enable the attackers to perform RCE on the compromised systems when Powershell is accessible.
Microsoft has identified two zero-day vulnerabilities, CVE-2022-41040 (Server Side Request Forgery (SSRF)) and CVE-2022-41082 (Remote Code Execution (RCE)), affecting Microsoft Exchange Server 2013, 2016, and 2019.
The authenticated attacker could exploit CVE-2022-41040 to remotely trigger CVE-2022-41082. However, authenticated access to the vulnerable Exchange Server is necessary to exploit either of the two vulnerabilities successfully.
Security researchers suspect a Chinese threat group is responsible for the attacks based on the Chinese Chopper webshells because the detected webshell codepage is 936, a Microsoft character encoding for simplified Chinese.
The user agent used to install the webshells also belongs to Antsword, a Chinese-based open-source website admin tool with web shell management support.
These actors deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims’ networks.
The exploit works as below:
- Requests with a similar format to the ProxyShell vulnerability: autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com.
- The attackers use the above link to implement the RCE on the targeted servers.
- The detection of the compromised Microsoft Exchange can be done using Powershell to scan the IIS logs file for indicators of compromise: Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String-Pattern ‘powershell.*autodiscover\.json.*\@.*200
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRT’s Constituents
Vulnerabilities
- CVE-2022-41040
- CVE-2022-41082
Mitigations
Until Microsoft releases security updates to address the two zero-days, Security researchers shared temporary mitigation that would block attack attempts by applying the following steps:
1. Open the IIS Manager.
2. Expand the Default Web Site.
3. Select Autodiscover.
4. In the Feature View, click URL Rewrite.
5. In the Actions pane on the right-hand side, click Add Rules.
6. Select Request Blocking and click OK.
7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
8. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
9. Change the condition input from {URL} to {REQUEST_URI}
10. Block the following Remote PowerShell ports :
a. HTTP: 5985
b. HTTPS: 5986
11. Block all the mentioned IPs in the IOCs section as they involving in the current active attacks to exploit these vulnerabilities.