Two Microsoft Exchange zero-days exploited in the wild.
N2K logoOct 3, 2022

Microsoft warned late Friday, with updates over the weekend, that two zero-days were being used to exploit Microsoft Exchange Server in the wild. CISA has added the two issues to its Known Exploited Vulnerabilities Catalog.

Two Microsoft Exchange zero-days exploited in the wild.

Microsoft warns of Exchange Server vulnerabilities.

Late Friday Microsoft disclosed that two zero-days afflicted three versions of its widely used Exchange Server. Redmond's initial disclosure said:

"Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  

"Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

"We are working on an accelerated timeline to release a fix. Until then, we’re providing mitigations and the detections guidance below to help customers protect themselves from these attacks."

Microsoft's Security Response Center shared an initial set of mitigations and tools to evaluate the risk, including indicators of compromise, in its "Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server." Late Sunday the Microsoft Security Response Center added this caution: "We strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization."

GTSC initially discovered the zero-days (and their exploitation).

In the course of security monitoring and incident response services its SOC team was performing early in August, Hanoi-based GTSC "discovered that a critical infrastructure was being attacked" through its Microsoft Exchange application. They shared their discovery with the Zero Day Initiative and Microsoft, which led to the fixes Redmond released Friday.

GTSC summarized the attackers' activity as follows: "We recorded attacks to collect information and create a foothold in the victim's system. The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system. We detected webshells, mostly obfuscated, being dropped to Exchange servers. Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management." The company provided its customers with temporary containment measures they could use to protect themselves until Microsoft was able to make a patch available.

Who's responsible for the observed exploitation isn't clear, but GTSC sees strong circumstantial evidence that the threat actor or actors behind it are Chinese. "We suspect these exploits come from Chinese attack groups, based on the webshell codepage of 936, a Microsoft character encoding for simplified Chinese.”

Sophos points out what those temporary measures might amount to, and sees this as a kind of "silver lining" in the cloud the incident casts over Exchange;

"The bugs can’t be triggered by just anyone." That is, only an authenticated attacker can initiate them. "Sure, any remote user who has already logged into their email account over the internet, and whose computer is infected by malware, could in theory have their account subverted to launch an attack that exploits these bugs. But just having your Exchange server accessible over the internet is not enough on its own to expose you to attack, because so-called unauthenticated invocation of these bugs is not possible.

"Blocking PowerShell Remoting can limit attacks. According to Microsoft, blocking TCP ports 5985 and 5986 on your Exchange server will limit (if not actually prevent) attackers from chaining from the first vulnerability to the second. Although attacks might be possible without relying on triggering PowerShell commands, intrusion reports so far seem to suggest that PowerShell execution was a necessary part of the attack."

The zero-days are first cousin to ProxyShell; organizations that found themselves vulnerable to ProxyShell should be especially on their guard.

CISA adds both issues to its Known Exploited Vulnerabilities Catalog.

Late Friday the US Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2022-41082 and CVE-2022-41040 to its Known Exploited Vulnerabilities Catalog. It characterized CVE-2022-41082 as follows: "Microsoft Exchange Server contains an unspecified vulnerability which allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 which allows for the remote code execution." CVE-2022-41040, a server-side request forgery vulnerability, is described thusly: "Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution." In both cases CISA advises organizations to apply the mitigations Microsoft has provided. US Federal executive civilian agencies have until October 21st to take action.

Michael Assraf CEO & Co-founder of Vicarius, was struck by how quick CISA was to add the two vulnerabilities to its Catalog. “CISA is typically late to the party for many of the KEV additions, but it seems like the invitation was delivered early," he wrote, and went on to offer his summary of the vulnerabilities and their implications:

"Two zero-days in Microsoft Exchange servers were discovered that when chained together, can allow remote code execution. However, the advisory states that authenticated access to the servers are necessary in order to exploit. Thus, it is likely attackers will first run a phishing/social engineering campaign to gain authorization. So if you have Exchange servers, it is important to place all of the suggested mitigations in effect from Microsoft's guidance. But what's equally, if not more, important is to double down on efforts to recognize and report phishing in your organization.

"The other vulnerability is a command injection flaw in Atlassian Bitbucket reported back in August. A patch is available for this CVE, and a PoC exploit is also circulating out in the wild. As Bitbucket is a code repository, some sensitive intellectual property could be at risk as well as other components connected to the larger Jira/Trello framework. A malicious actor leveraging this kind of attack is most likely after admin-level control so they can sink their teeth further into the network.”