Microsoft has responded to two recently discovered zero-day flaws in Microsoft Exchange Server 2013, 2016, and 2019 by stating that they are being exploited in the wild.
“The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” Microsoft said.
“At this time, Microsoft is aware of limited, targeted attacks using the two vulnerabilities to get into users’ systems.”
The company said CVE-2022-41040 could only be exploited by attackers who have logged in first. If successful, they could then trigger the CVE-20220082 RCE flaw.
Microsoft claims that customers of Exchange Online don’t have to take any action yet because the company has detected and mitigation in place to defend customers.
“Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary action to protect customers. [..] We are working on an accelerated timeline to release a fix,” Microsoft added.
According to GTSC, a Vietnamese cybersecurity company that first reported the assaults, the zero-days are chained to deploy Chinese Chopper web shells for persistence and data theft and laterally through the victims’ networks.
Based on the web shells’ code page, a Microsoft character encoding for simplified Chinese, GTSC suspects that a Chinese threat group may be behind the ongoing assaults.
The threat group manages the web shells installed on compromised servers with the Antsword Chinese open-source website admin tool, as revealed by the user agent.
Mitigation measures may be taken.
Redmond has also confirmed the mitigation measures shared yesterday by GTSC. These security researchers had discovered the two flaws and reported them to Microsoft through the Zero Day Initiative private channel three weeks prior.
“On-premises Microsoft Exchange customers should review and apply the URL Rewrite Instructions and block exposed Remote PowerShell ports,” Microsoft added.
“The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”
Follow these steps to apply the mitigation to vulnerable servers:
- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}
Since the attackers can also exploit exposed and vulnerable Exchange servers to remotely execute remote code via CVE-2022-41082 exploitation, Microsoft also advises administrators to block these Remote PowerShell ports to limit the attacks:
- HTTP: 5985
- HTTPS: 5986
The GTSC stated that to see if their Exchange servers have been affected, admins can run this PowerShell command which scans IIS log files:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
