Security researchers have warned that a zero-day flaw in Microsoft’s Exchange server is being actively exploited. So far, we know that the Microsoft Exchange zero-day allows for remote code execution and that the attackers are chaining a pair of zero-days to deploy Chinese Chopper web shells on compromised hosts. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker servers for persistence and data theft, as well as move laterally to other systems on the victims’ networks.
Who is behind it?
Evidence is pointing towards Chinese threat groups (based on the web shells’ code page, a Microsoft character encoding for simplified Chinese). The user agent, which used to install the web shells, also belongs to Antsword, a Chinese-based open-source website admin tool with web shell management support.
Microsoft has been made aware of the zero-day and is currently investigating.
Mitigations
If you don’t run Microsoft Exchange on-premise, and don’t have Outlook Web App facing the internet, you are not impacted.
Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports.
The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.
Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains.
• Open the IIS Manager.
• Expand the Default Web Site.
• Select Autodiscover.
• In the Feature View, click URL Rewrite.
• In the Actions pane on the right-hand side, click Add Rules.
• Select Request Blocking and click OK.
• Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
• Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
• Change the condition input from {URL} to {REQUEST_URI}
Impact: There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.
Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.
• HTTP: 5985.
• HTTPS: 5986.
If you have Outlook Web App, you can find it presented to the internet by searching Shodan.io for http.component:”outlook web app”. Add the filter org:yourorgname or ssl:”*yourorgname*” to find your organisation.
Sentinel
The following link offers guidance on Webshell threat hunting. (ITC is carrying out checks for this and will notify affected Customers.)
• Web Shell Threat Hunting with Microsoft Sentinel
The Exchange SSRF Autodiscover ProxyShell detection, which Microsoft created in response to ProxyShell, can be used for queries as there are similarities in function with this threat. Also, Microsoft has a new Exchange Server Suspicious File Downloads query which specifically looks for suspicious downloads in IIS logs. In addition to those, Microsoft has a few more options below which could be helpful in looking for post-exploitation activity:
• Exchange OAB Virtual Directory Attribute Containing Potential Webshell
• Web Shell Activity
• Malicious web application requests linked with Microsoft Defender for Endpoint alerts
• exchange-iis-worker-dropping-webshell
• Web shell Detection
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint detects post-exploitation activity. The following alerts can be related to this threat:
• Possible web shell installation.
• Possible IIS web shell.
• Suspicious Exchange Process Execution.
• Possible exploitation of Exchange Server vulnerabilities.
• Suspicious processes indicative of a web shell.
• Possible IIS compromise.
Defender for Endpoint customers with Microsoft Defender Antivirus enabled can also detect the web shell malware used in in-the-wild exploitation of this vulnerability, as of this writing, with the following alerts:
• ‘Chopper’ malware was detected on an IIS Web server.
• ‘Chopper’ high-severity malware was detected.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects the post exploitation malware used in current in-the-wild exploitation of this vulnerability as the following:
• Backdoor:ASP/Webshell.Y (Backdoor:ASP/Webshell.Y threat description – Microsoft Security Intelligence)
• Backdoor:Win32/RewriteHttp.A (Backdoor:Win32/RewriteHttp.A threat description – Microsoft Security Intelligence)
References
WARNING: New Unpatched Microsoft Exchange Zero-Day Under Active Exploitation (thehackernews.com)
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center
Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server | Blog | GTSC – Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn)
