On 29 Sept, Microsoft disclosed that they started investigation on two zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 in Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 . The CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, and the other vulnerability, CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.
As per Microsoft, currently, the adversaries are exploiting these vulnerabilities for targeted attacks. As per the guidance provided here, it is believed that CVE-2022-41040 can be used as a stepping stone for the authenticated adversary to remotely exploit another vulnerability, CVE-2022-41082.
However, authenticated access to the vulnerable exchange server is required to exploit either of these vulnerabilities. They both can also be used separately.
Both these vulnerabilities are also identified as ProxyNotShell.
What are the issues?
In August 2022, in a small number of targeted attacks, an adversary group, which is believed to be a state sponsored organization, gained initial access and compromised Exchange Servers by chaining CVE-2022-41040 and CVE-2022-41082.
As per the blog from Microsoft, an adversary group was able to install a widely abused Chopper web shell using which the adversary gained hands-on-keyboard access. Then the adversary is believed to perform the Active Directory reconnaissance attack followed by exfiltration of data. Later, in September 2022, Microsoft also evaluated these attacks for a possible newer vector when Zero Day Initiative (ZDI) disclosed CVE-2022-41040 and CVE-2022-41082.
The details along with an example of chained exploitation of these two vulnerabilities, CVE-2022-41040 and CVE-2022-41082 and exploitation details of CVE-2022-41040 are available here.
Below picture shows the possible attack/exploitation flow which can be used for exchange server vulnerabilities.
Even though the authentication to the vulnerable Exchange Server is required to exploit these vulnerabilities, it is just the standard user level authentication required. The credentials required for a standard user level authentication can easily be gained through commonly known techniques like password spray etc.
Adversaries exploited prior Exchange vulnerabilities that required authentication for deploying ransomware. Hence it is speculated that these vulnerabilities can likely be included for similar attacks.
Few of the Suspicious URIs found by Zscaler ThreatLabZ Team :
- /qbox?query=Domain_Name/autodiscover.json@Powershell&language=en- US
- /autodiscover/autodiscover.json[email protected]/&Email=autodiscover/autodiscover.json%[email protected]
- /ac/?q="/autodiscover/[email protected]/powershell/
- /autodiscover/[email protected]/owa/&Email=autodiscover/[email protected]&FooProtocol=Powershell
This vulnerability affects the following Microsoft products:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
- For mitigation of said vulnerability Microsoft has released HotFix for vulnerable versions here.
- CISA/ US-CERT also released guidance for the same.
- Zscaler strongly recommends upgrading to patched versions or installing HotFix depending on what current version of Microsoft Exchange products are deployed.
Best Practices/Guidelines To follow:
- Limit the impact from a potential compromise by restricting lateral movement with identity-based micro-segmentation (Zscaler Workload Segmentation) and a Zero Trust architecture.
- Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access, especially with application security modules turned on.
- Route all server traffic through Zscaler Private Access with additional application security module enabled and Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers.
- Restrict traffic to the critical infrastructure from the allowed list of known-good destinations.
- Ensure you are inspecting all SSL traffic.
- Turn on Advanced Threat Protection to block all known command-and-control domains. This will provide additional protection in case the adversary exploits this vulnerability to implant malware.
- Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Again, this will provide additional protection in case if the adversary exploits this vulnerability to implant malware.
- Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload.
Zscaler’s ThreatLabZ team has deployed protection.
- Advanced Threat Protection:
- Zscaler Private Access AppProtection:
- Category : Protocol-Enforcement - 920273
As further information comes in or additional protection is put into place, Zscaler will update this publication accordingly.