Microsoft has confirmed that two recently reported zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 are being exploited in the wild.
“The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” Microsoft said.
“At this time, Microsoft is aware of limited targeted attacks using both vulnerabilities to penetrate user systems.”
The company added that the CVE-2022-41040 flaw can only be exploited by authenticated attackers. Successful exploitation then allows them to trigger the CVE-2022-41082 RCE vulnerability.
Microsoft says Exchange Online customers don’t need to take any action at this time because the company has detections and mitigations in place to protect customers.
“Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated schedule to release a fix,” Microsoft added.
According to the Vietnamese cybersecurity team GTSC, which first reported on the ongoing attacks, the zero-days are chained to deploy Chinese Chopper web shells for persistence and data theft and to move laterally through the victims’ networks.
GTSC also suspects that a Chinese threat group may be responsible for ongoing attacks based on the Web Shells Code Page, a Microsoft character encoding for Simplified Chinese.
The threat group also manages web shells with the Chinese open-source website administration tool Antsword, as revealed by the user agent used to install them on compromised servers.
Attenuation available
Redmond also confirmed the mitigations shared yesterday by GTSC, whose security researchers also reported both flaws to Microsoft privately through the Zero Day initiative three weeks ago.
“On-premises Microsoft Exchange customers should review and apply the following URL rewrite guidelines and block exposed Remote PowerShell ports,” Microsoft added.
“The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block known attack patterns.”
To apply the mitigation to vulnerable servers, you will need to follow these steps:
- Open the IIS manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the features view, click URL Rewrite.
- In the Actions pane on the right side, click Add Rules.
- Select Request blocking and click OK.
- Add the string “.*autodiscover.json.*@.*Powershell.*” (without quotes) and click OK.
- Expand the rule and select the rule with pattern “.*autodiscover.json.*@.*Powershell.*” and click Edit under Conditions.
- Change the condition entry from {URL} to {REQUEST_URI}
Since attackers can also access PowerShell Remoting on exposed and vulnerable Exchange servers for remote code execution via the CVE-2022-41082 exploit, Microsoft also advises administrators to block the following Remote PowerShell ports to prevent the attacks :
GTSC said yesterday that administrators who want to check whether their Exchange servers have ever been compromised can run the following PowerShell command to analyze IIS log files for indicators of compromise:
Get-ChildItem -Recurse -Path -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover.json.*@.*200' #Microsoft #confirms #Exchange #zerodays #attacks