Background:
On 29 Sept, Microsoft disclosed that they started investigation on two zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 in Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 . The CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, and the other vulnerability, CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.
As per Microsoft, currently, the adversaries are exploiting these vulnerabilities for targeted attacks. As per the guidance provided here, it is believed that CVE-2022-41040 can be used as a stepping stone for the authenticated adversary to remotely exploit another vulnerability, CVE-2022-41082.
However, authenticated access to the vulnerable exchange server is required to exploit either of these vulnerabilities. They both can also be used separately.
Both these vulnerabilities are also identified as ProxyNotShell.
What are the issues?
In August 2022, in a small number of targeted attacks, an adversary group, which is believed to be a state sponsored organization, gained initial access and compromised Exchange Servers by chaining CVE-2022-41040 and CVE-2022-41082.
As per the blog from Microsoft, an adversary group was able to install a widely abused Chopper web shell using which the adversary gained hands-on-keyboard access. Then the adversary is believed to perform the Active Directory reconnaissance attack followed by exfiltration of data. Later, in September 2022, Microsoft also evaluated these attacks for a possible newer vector when Zero Day Initiative (ZDI) disclosed CVE-2022-41040 and CVE-2022-41082.
The details along with an example of chained exploitation of these two vulnerabilities, CVE-2022-41040 and CVE-2022-41082 and exploitation details of CVE-2022-41040 are available here.
Below picture shows the possible attack/exploitation flow which can be used for exchange server vulnerabilities.
Even though the authentication to the vulnerable Exchange Server is required to exploit these vulnerabilities, it is just the standard user level authentication required. The credentials required for a standard user level authentication can easily be gained through commonly known techniques like password spray etc.
Adversaries exploited prior Exchange vulnerabilities that required authentication for deploying ransomware. Hence it is speculated that these vulnerabilities can likely be included for similar attacks.
Few of the Suspicious URIs found by Zscaler ThreatLabZ Team :
Affected products:
This vulnerability affects the following Microsoft products:
Mitigations:
Best Practices/Guidelines To follow:
Zscaler Coverage:
Zscaler’s ThreatLabZ team has deployed protection.
As further information comes in or additional protection is put into place, Zscaler will update this publication accordingly.
Additional References:
By submitting the form, you are agreeing to our privacy policy.