Microsoft Exchange zero-day under active exploitation

Home / Threat Intelligence bulletins / Microsoft Exchange zero-day under active exploitation

Update: 4th October 2022 15:00 GMT

Vietnamese based threat researcher, has discovered that Microsoft’s recently posted mitigation for the zero-day Exchange vulnerability is insufficient and can be easily bypassed by determined threat actors.

This update contains new mitigations to help combat this zero-day.

Updated Containment, Mitigations & Remediations

As of writing this report, no patches are available for either vulnerability.

The previous Microsoft mitigation aimed to disrupt the attack chain with the following string, “.autodiscover.json.@.Powershell.” but this string proved to be far too specific and thus enabled threat actors to bypass with relative ease.

The following update mitigation improves the process blocking the attack chain via the IIS Manager Rule:

  • Open the IIS Manager
  • Select Default Web Site
  • In the** Feature View**, click URL Rewrite
  • In the Actions pane on the right-hand side, click Add Rules…
  • Select** Request Blocking** and click OK
  • Add the string “.autodiscover.json.Powershell.*” (excluding quotes) and then click OK
  • Expand the rule and select the rule with the pattern “.autodiscover.json.Powershell.*” and click Edit under Conditions
  • Change the Condition input from {URL} to {REQUEST_URI}.

This simple change is designed to cover a wider range of attacks, therefore making the vulnerability harder to exploit.

This is only a temporary mitigation as no patches have been released. Once a confirmed patch has been issued, customers are highly advised to patch all affected systems to ensure system security.

30th September 2022

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity level: Critical – Two chained exploits with CVSS base scores of 8.8 and 6.3, exploitation could result in system compromise, data loss and lateral access to connected systems.

Vietnamese-based cyber security researchers GTSC have reportedly discovered two zero-day vulnerabilities that when chained together allow an attacker to perform remote code execution (RCE).

The vulnerabilities have been acknowledged by Microsoft and have been given the following CVEs:

CVE-2022-41040 – Server-Side Request Forgery (SSRF) vulnerability
CVE-2022-41082 – PowerShell RCE vulnerability

When used in unison, CVE-2022-41040 provides an authenticated attacker with the ability to remotely trigger CVE-2022-41082 and thus granting them access to the PowerShell scripts of the target system.

Impact

Should a victim be targeted and the exploitation proven successful, the malicious actor would have access to exportable, sensitive data, and persistence measures such as lateral movement across other systems connected to the victim’s networks.

Vulnerability Detection

Two methods have been released by GTSC to help organisations check to see if they have been compromised by these zero-day exploitations:

1 – Use PowerShell command:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200

2 – A search tool developed by GTSC based on the exploits’ signature, available on GTSC’s GitHub.

Affected Products

– Microsoft Exchange Server 2013
– Microsoft Exchange Server 2016
– Microsoft Exchange Server 2019

Containment, Mitigations & Remediations

As of writing this report, no patches are available for the vulnerabilities. However, there are steps to take that will break the current attack chains.

The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. A full step-by-step guide can be found on the Microsoft Security Response Center.

Indicators of Compromise

The following file names, hashes and IP addresses are associated with the compromise of this vulnerability:

File name: pxh4HG1v.ashx
Purpose: Webshell
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx

File name: RedirSuiteServiceProxy.aspx
Purpose: Webshell
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File name: RedirSuiteServiceProxy.aspx
Purpose: Webshell
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File name: Xml.ashx
Purpose: Webshell
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx

File name: errorEE.aspx
Purpose: Webshell
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx

File name: Dll.dll
SHA256: 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

File name: 180000000.dll
SHA256: 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

IP addresses:
125[.]212[.]220[.]48
5[.]180[.]61[.]17
47[.]242[.]39[.]92
61[.]244[.]94[.]85
86[.]48[.]6[.]69
86[.]48[.]12[.]64
94[.]140[.]8[.]48
94[.]140[.]8[.]113
103[.]9[.]76[.]208
103[.]9[.]76[.]211
104[.]244[.]79[.]6
112[.]118[.]48[.]186
122[.]155[.]174[.]188
125[.]212[.]241[.]134
185[.]220[.]101[.]182
194[.]150[.]167[.]88
212[.]119[.]34[.]11

URL: hxxp://206[.]188[.]196[.]77:8080/themes.aspx

C2: 137[.]184[.]67[.]33

Threat Landscape

Zero-day vulnerabilities are one of the most dangerous forms of exploitations facing businesses due to the lack of defensive understanding and unavailability of robust patching countermeasures. It is highly likely that threat actors with the required knowledge to use these vulnerabilities will rush to exploit as much as possible over the coming few days before routine patching becomes available.

Threat Group

Early reporting suggests the realistic possibility of Chinese state-sponsored involvement, based on Chinese-style code used within the manipulated web shells.

Mitre Methodologies

T1586.002 – Compromise Accounts: Email Accounts

T1059.003 – Command and Scripting Interpreter: Windows Command Shell

T1047 – Windows Management Instrumentation

1505.003 – Server Software Component: Web Shell

T1070.004 – Indicator Removal on Host: File Deletion

T1036.005 – Masquerading: Match Legitimate Name or Location

T1620 – Reflective Code Loading

T1003.001 – OS Credential Dumping: LSASS Memory

T1087 – Account Discovery

T1083 – File and Directory Discovery

T1057 – Process Discovery

T1049 – System Network Connections Discovery

T1570 – Lateral Tool Transfer

T1560.001 – Archive Collected Data: Archive via Utility

Further Information

Microsoft Security Response Center

GTSC Report – Microsoft Exchange Server Vulnerability

Bleeping Computer Article – Exploited Microsoft Exchange Zero-day

Intelligence Cut-Off Date (ICOD):

12:00 BST 30/09/2022

 

Intelligence Terminology Yardstick