Microsoft has confirmed two new zero-day vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) are being exploited in “limited, targeted attacks.” In the absence of an official patch, organizations should check their environments for signs of exploitation and then apply the emergency mitigation steps.
- CVE-2022-41040 — Server-side request forgery, allowing authenticated attackers to make requests posing as the affected machine
- CVE-2022-41082 — Remote Code Execution, allowing authenticated attackers to execute arbitrary PowerShell.
“Currently, there are no known proof-of-concept scripts or exploitation tooling available in the wild,” wrote John Hammond, a threat hunter with Huntress. However, that just means the clock is ticking. With renewed focus on the vulnerability it is just a matter of time before new exploits or proof-of-concept scripts become available.
Steps to Detect Exploitation
The first vulnerability — the server-side request forgery flaw — can be used to achieve the second — the remote code execution vulnerability — but the attack vector requires the adversary to already be authentication on the server.
Per GTSC, organizations can check if their Exchange Servers have already been exploited by running the following PowerShell command:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*Autodiscover\.json.*\@.*200
GTSC has also developed a tool to search for signs of exploitation and released it on GitHub. This list will be updated as other companies release their tools.
Microsoft-Specific Tools
- According to Microsoft, there are queries in Microsoft Sentinel that could be used to hunt for this specific threat. One such query is the Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell. The new Exchange Server Suspicious File Downloads query specifically looks for suspicious downloads in IIS logs.
- Alerts from Microsoft Defender for Endpoint regarding possible web shell installation, possible IIS web shell, suspicious Exchange Process Execution, possible exploitation of Exchange Server vulnerabilities, suspicious processes indicative of a web shell, and possible IIS compromise can also be signs the Exchange Server has been compromised via the two vulnerabilities.
- Microsoft Defender will detect the post-exploitation attempts as Backdoor:ASP/Webshell.Y and Backdoor:Win32/RewriteHttp.A.
Several security vendors have announced updates to their products to detect exploitation, as well.
Huntress said it monitors approximately 4,500 Exchange servers and is currently investigating those servers for potential signs of exploitation in these servers. “At the moment, Huntress has not seen any signs of exploitation or indicators of compromise on our partners’ devices,” Hammond wrote.
Mitigation Steps to Take
Microsoft promised that it is fast-tracking a fix. Until then, organizations should apply the following mitigations to Exchange Server to protect their networks.
Per Microsoft, on-premises Microsoft Exchange customers should apply new rules through the URL Rewrite Rule module on IIS server.
- In IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions, select Request Blocking and add the following string to the URL Path:
.*autodiscover\.json.*\@.*Powershell.*
The condition input should be set to {REQUEST_URI}
- Block ports 5985 (HTTP) and 5986 (HTTPS) as they are used for Remote PowerShell.
If you are using Exchange Online:
Microsoft said Exchange Online customers are not affected and do not need to take any action. However, organizations using Exchange Online are likely to have hybrid Exchange environments, with a mix of on-prem and cloud systems. They should follow the above guidance to protect the on-prem servers.
