Last updated at Wed, 03 May 2023 14:09:32 GMT
November 8, 2022: As a part of the monthly patch release cycle, Microsoft released updates for CVE-2022-41040 and CVE-2022-41082. Rapid7 recommends that organizations apply these Exchange patches immediately.
On Thursday, September 29, a Vietnamese security firm called GTSC published information and IOCs on what they claimed was a pair of unpatched Microsoft Exchange Server vulnerabilities being used in attacks on their customers’ environments dating back to early August 2022. The impact of exploitation, the firm said, is remote code execution. From the information released, both vulnerabilities appeared to be post-authentication flaws. According to GTSC, the vulnerabilities are being exploited to drop webshells on victim systems and establish footholds for post-exploitation behavior.
Microsoft confirmed both zero-day vulnerabilities late the evening of September 29, 2022 and said they were aware of "limited, targeted attacks using the two vulnerabilities to get into users' systems." Tracked as CVE-2022-41040 and CVE-2022-41082, neither vulnerability has a patch as of September 30, but Microsoft indicated they're working on an accelerated timeline to release fixes.
- CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability.
- CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Both vulnerabilities require an attacker to have authenticated network access for successful exploitation. The known attacks appear to be a variant of last year's infamous ProxyShell exploit chain. Note: While attacks using these vulnerabilities have so far chained the two CVEs, it is entirely possible that either could be used alone, or chained with different vulnerabilities.
Security researchers have pointed out that there are still plenty of Exchange Server installations not patched or improperly patched for ProxyShell, which gives attackers an easy way into systems that might otherwise be somewhat more resilient to this latest campaign. As of early September 2022, Rapid7 Labs observed up to 191,000 Exchange Servers exposed to the internet via port 443.
GTSC's original blog has extensive details on the attacks they observed, including various IOCs, malware analysis, and MITRE ATT&CK mapping.
On September 30, Microsoft also published additional information on attacks they have observed using these vulnerabilities:
"MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization."
NOTE: Microsoft has revised the URL Rewrite rule from their mitigation guidance multiple times since this blog came out. Refer to their instructions for the latest guidance.
Both CVE-2022-41040 and CVE-2022-41082 are unpatched. In the absence of a patch, Microsoft has directed on-premises Exchange customers to apply a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. Organizations should apply the mitigation as Microsoft directs on an emergency basis.
Microsoft has full step-by-step URL Rewrite (mitigation) instructions here. These instructions have been updated multiple times—check Microsoft's info for the latest.
Microsoft has confirmed that the URL Rewrite instructions linked above are successful in breaking current attack chains. Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks. Therefore, on-premises Exchange customers should review and apply Microsoft's URL Rewrite Instructions and block exposed Remote PowerShell ports:
- HTTP: 5985
- HTTPS: 5986
Microsoft also "strongly recommends" Exchange Server customers disable remote PowerShell access for non-admin users.
Microsoft has said explicitly that Exchange Online Customers do not need to take any action. Note, however, that organizations who use hybrid (a mix of on-prem and cloud) Exchange environments should follow on-prem guidance. See Microsoft's official blog for more details.
InsightVM and Nexpose customers can assess their exposure to CVE-2022-41040 and CVE-2022-41082 with a remote vulnerability check available in the September 30, 2022 content-only release ( Jar UpdateID: 144473189). The check will identify whether Microsoft's recommended mitigations have been applied. Customers can also use Query Builder or Dynamic Asset Groups to identify systems that have Exchange installed on them.
Note: Microsoft has revised their recommended URL Rewrite rule several times since October 4. Our vulnerability check has been updated as of the October 12, 2022 content-only release to identify the improved mitigation in Microsoft's guidance.
The behavior described in GTSC's blog is similar to other attacks targeting Exchange over the past 18 months. Rapid7’s InsightIDR and Managed Detection & Response (MDR) customers have detection coverage for currently known post-exploitation attacker behaviors, including but not limited to:
- Suspicious Process - Process Spawned By Outlook Web Access
- Suspicious Process - Exchange Server Spawns Process
- Attacker Technique - CertUtil With URLCache Flag
- Webshell - China Chopper Executing Commands
- Suspicious Process - Executable Runs From C:\Perflogs
For InsightIDR customers, we recommend reviewing the rule action and priority of these detection rules to confirm that they align with their security needs. As always, MDR customers are being actively monitored by the Rapid7 SOC. If suspicious activity is detected in your environment, you will be contacted by your customer advisor.
We will update this blog with further information, including coverage additions or enhancements, as needed.
September 30, 2022: Microsoft has confirmed two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082, are being exploited in "limited, targeted attacks." Microsoft has released mitigation guidance. Our engineering teams are investigating options to allow InsightVM and Nexpose customers to assess exposure to these vulnerabilities. InsightIDR customers have existing detection coverage.
[16:30 ET] Updated information on newly released InsightVM and Nexpose vulnerability checks.
October 1, 2022: Clarified wording and directions in Mitigations section, added a Threat intelligence section with Microsoft's analysis of attacks using these vulnerabilities.
October 4, 2022: Microsoft published updated mitigation guidance that includes an improvement to their URL Rewrite rule. The string contained in the recommended rule has been modified to be more effective. Full instructions are here. Our researchers are evaluating whether adjustments to our existing vulnerability checks are required based on Microsoft’s new guidance.
October 5, 2022: Our vulnerability check for InsightVM and Nexpose customers will be updated to identify the improved mitigation in Microsoft's revised guidance; this update will go out in the October 5, 2022 content-only release.
October 11, 2022: Microsoft made additional improvements to their URL Rewrite rule instructions on October 7 and October 8. Full details are in their blog. The vulnerabilities are still unpatched as of the October 11, 2022 Patch Tuesday release.
October 12, 2022: Our engineering team has updated checks for these vulnerabilities in the October 12 content-only release. The updates look for the revised URL Rewrite rule in Microsoft's recommended mitigation guidance.
November 8, 2022: As a part of the monthly patch release cycle, Microsoft released updates for CVE-2022-41040 and CVE-2022-41082. Rapid7 recommends that organizations apply these Exchange patches immediately. New checks are available for InsightVM and Nexpose customers; the previous checks that look for mitigation rules (which are no longer recommended) have been deprecated.