February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Bumblebee Malware Evolving Its TTPs – Active IOCs
October 4, 2022Rewterz Threat Alert – Witchetty APT Group – Active IOCs
October 4, 2022Rewterz Threat Alert – Bumblebee Malware Evolving Its TTPs – Active IOCs
October 4, 2022Rewterz Threat Alert – Witchetty APT Group – Active IOCs
October 4, 2022
Severity
High
Analysis Summary
Microsoft verified that two zero-day vulnerabilities in Microsoft Exchange discovered by GTSC researchers are being actively exploited in the wild.
The IT giant has promptly started the investigation into the two zero-day vulnerabilities that impacts Microsoft Exchange Server 2013, 2016, and 2019.
CVE-2022-41040 & CVE-2022-41082
The first flaw, tracked as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) issue. The second vulnerability, tracked as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Successful exploitation of the CVE-2022-41040 can allow an authenticated attacker to remotely trigger CVE-2022-41082.
“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.”
The company also stated that only authenticated attackers can exploit the CVE-2022-41040 flaw. After a successful exploit, t hey can exploit the CVE-2022-41082 RCE vulnerability
At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities
The cybersecurity company, which was the first to report the attacks, claims that the zero-days are linked together to build Chinese Chopper web shells for data theft and persistence as well as to move laterally through the victims’ networks. They also suspect that a Chinese threat group is behind the continued attacks based on the code page of the web shells, a Microsoft character encoding for simplified Chinese.
Microsoft stated that it is working to accelerate the timing for the deployment of a remedy that resolves both issues. Meanwhile, the corporation gave mitigations and detection instructions to clients to assist them in protecting themselves from these attacks.
The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.
To allow organizations to check if their Exchange Servers have been compromised by exploiting these flaws, GTSC released guideline and a tool to scan IIS log files (stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder ):
- Method 1: Use powershell command:
- Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200
- Method 2: Use the tool developed by GTSC: Based on the exploit signature, we build a tool to search with much shorter time needed than using powershell. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner
The detailed procedure offered by Microsoft to reduce the risk of exploitation for the aforementioned problems is as follows:
- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}
Additionally, Microsoft advises users to block the following Remote PowerShell ports
- HTTP: 5985
- HTTPS: 5986
But recently the experts caution that the mitigation by Microsoft Exchange for on-premise systems is insufficient.
Both of these zero-day vulnerabilities are already being exploited by threat actors in ongoing campaigns to compromise Microsoft Exchange servers and accomplish remote code execution.
According to researchers, Jang, the researcher, initially warned that Microsoft’s mitigations can be readily bypassed with minimal effort.
A senior vulnerability analyst, Will Dormann, at ANALYGENCE, the ‘@’ in Microsoft’s URL block “looks too precise, and consequently insufficient.” He concurs with the conclusion.
Instead of the URL block mitigations supplied by the IT giant, the researchers advised attempting “.*autodiscover.json.*Powershell.*”.
Impact
- Remote Code Execution
- Unauthorized Access
- Server-Side Request Forgery (SSRF) issue
Indicators Of Compromise
CVE
- CVE-2022-41040
- CVE-2022-41082
Affected Vendors
Microsoft
Affected Products
Microsoft Exchange Server 2013, 2016, and 2019
Remediation
Refer to Microsoft Security Response Center for patch, upgrade or suggested workaround information.