Microsoft confirms new Exchange zero-days are used in attacks

Microsoft exchange serverwhittakertechcrunch

 

Microsoft confirmed that two zero-day vulnerabilities recently discovered in Microsoft Exchange Server 2013/2016 and 2019 were being exploited by the wild.

Microsoft stated that the first vulnerability is CVE-2022-4040. The second vulnerability is CVE-2022-41082. It allows remote code execution (RCE), when PowerShell can be accessed by the attacker.

“At the moment, Microsoft is aware that there are limited targeted attacks using these two vulnerabilities to gain access to users’ systems.”

According to the company, authenticated attackers can exploit the CVE-2022-4040 flaw. They can then trigger the CVE-2022-40402 RCE vulnerability by successfully exploiting it.

 

Microsoft exchange server

 

Microsoft claims Exchange Online customers do not need to take immediate action because Microsoft has mitigation and detection systems in place to protect them.

“Microsoft will also monitor these detected malicious activity detections and take the necessary actions to protect customers. [..] Microsoft said that they are working quickly to release a fix.

The ongoing attacks were first reported by by the Vietnamese cybersecurity outfit GTSC. They claim that the zero-days have been chained to deploy China Chopper webshells for persistence and data theft, and then move through victims’ networks.

GTSC suspects that an Chinese threat group may be behind the attacks on the web shells code page, which is a Microsoft character encoding simplified Chinese.

As revealed by the user agent that installed them on compromised servers, the threat group also manages web shells using the Antsword Chinese open source website admin tool.

Mitigation available

Redmond also confirmed the mitigation measures that GTSC shared yesterday. Security researchers from GTSC also reported the flaws to Microsoft through the Zero Day Initiative three week ago.

Microsoft stated that customers of Microsoft Exchange should review and follow the URL Rewrite Instructions to block remote PowerShell ports.

“The current mitigation is to add an IIS Manager -> default Web Site -> URL Autodiscover-> URL Rewrite-> Actions” to stop known attack patterns.

These steps will help you apply mitigation to vulnerable servers:

1. Start the IIS Manager.
2. Expand the Default Web Site.
3. Choose Autodiscover.
4. Click URL Rewrite in the Feature View.
5. Click Add Rules in the Actions pane to the right.
6. Click OK and select Request Blocking.
7. Add String “.*autodiscover\.json.*\@.*Powershell. Click OK.
8. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell. Click Edit under Conditions to add the *
9. Change the input condition from URL into REQUEST_URI

Threat actors may also be able to access PowerShell Remote on vulnerable Exchange servers to execute remote code via CVE-2022-4082 exploit. Microsoft advises administrators to block these Remote PowerShell ports in order to prevent the attacks.

• HTTP: 5985
• HTTPS: 5986

GTSC stated yesterday that administrators who wish to verify if their Exchange servers are compromised can use the PowerShell command below to scan IIS log files looking for signs of compromise.

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'