Tech giant Microsoft is investigating two reported zero-day vulnerability exploits affecting the popular Microsoft Exchange email software.
CVE-2022-41040 (CVSS 8.8) is a Server-Side Request Forgery (SSRF) vulnerability that could enable an authenticated attacker to remotely trigger CVE-2022-41082. The second vulnerability, CVE-2022-41082 (CVSS 6.3), is a Remote Code Execution (RCE) when Powershell is accessible to the attacker.
According to Microsoft, on-premises Exchange Servers 2013, 2016, and 2019 were affected by the recently discovered security flaws.
Exchange Server zero-day vulnerability chain requires only a standard user account
Microsoft stated that the zero-day vulnerabilities require authentication, and only on-premise servers were at immediate risk. The company said Microsoft Exchange Online customers are protected by various mitigations that detect malicious activity.
While the zero-day vulnerability pair requires authentication, Microsoft warned that attackers could use a standard account to trigger the vulnerability.
Additionally, attackers could obtain login credentials of standard accounts by password spraying, phishing attacks, or purchasing them online from hacker forums.
Microsoft Exchange zero-day vulnerabilities exploited in the wild
Microsoft is also aware of limited, targeted attacks exploiting these vulnerabilities to compromise users’ systems. The attacks involved a single state-sponsored group that compromised less than ten organizations.
According to the company, the attackers gained initial access by chaining CVE-2022-41040 and CVE-2022-41082. They then installed Chopper web shell to obtain keyboard access, perform Active Directory reconnaissance, and exfiltrate data.
Microsoft expects more exploitation and integration of the zero-day vulnerability chain into hacking toolkits when proof-of-concept (PoC) code becomes widely available.
Vietnamese security firm GTSC also observed attackers dropping obfuscated web shells into compromised servers to access them remotely. Additionally, GTSC observed possible injection of malicious DLLs into memory and the delivery and execution of additional payloads via WMI utility.
Attackers appear to be highly-motivated, leveraging the initial compromised systems to move laterally to other systems. According to GTSC, the attackers installed Antsword, a Chinese open-source website administration tool, and web shell, suggesting Chinese hackers’ involvement.
GTSC is credited with discovering the vulnerabilities and submitting them to the Zero Day Initiative a month ago. However, the firm publicly disclosed flaws before Microsoft could fix them within 120 days after discovering real-world exploitation. Cybersecurity company Veloxity also suspects that a Chinese hacking group involved in the Zimbra Collaboration Suite hacking is involved in the campaign.
Although the identity of the threat actor remains speculative, the Hafnium group, which is closely linked to APT40, deploys China Chopper web shells. The group’s possible exploitation of CVE-2022-41040 and CVE-2022-41082 is hardly surprising, considering that it was notorious for exploiting the ProxyLogon zero-day vulnerability.
Independent cybersecurity researcher and influencer, Kevin Beaumont, believes that significant Microsoft Exchange servers were backdoored, “including a honeypot.” Beaumont added that the attacker’s IP address (137[.]184[.]67[.]33) was hardcoded into binary and pointed to a single fake website that was active since August with only a single user login. The ex-Microsoft Senior Threat Intelligence Analyst also warned that Exchange Online customers running hybrid servers with Outlook Web Access (OWA) access were at risk despite Microsoft’s assertion.
According to Shodan crawls, approximately 250,000 on-premises Microsoft Exchange servers exposed to the internet are at risk.
Mitigating Microsoft exchange Zero-Day vulnerability exploits
The tech company has promised to expedite the release of security fixes to prevent attackers from exploiting the reported security vulnerabilities.
“We are working on an accelerated timeline to release a fix. Until then, we’re providing mitigations and the detections guidance below to help customers protect themselves from these attacks.”
Meanwhile, Microsoft urged system administrators to apply mitigations to prevent hackers from compromising their Exchange servers.
“The current Exchange Server mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns,” the Microsoft security research team wrote.
They should add the “.*autodiscover\.json.*\@.*Powershell.*” regular expression in the Request Blocking section and select “Abort Request.” Finally, they should also change the input condition from {URL} to {REQUEST_URI}.
Additionally, Microsoft Exchange operators should disable Powershell access for non-administrators and disable HTTP 5985 and HTTPS 5986 ports to prevent possible attacks.
On September 30, 2022, the tech company also published a script on GitHub to assist system administrators set up the blocking rules.
The Cybersecurity and Infrastructure Security Agency (CISA) joined Microsoft in urging organizations to implement the suggested mitigations.