TTCSIRT-406.30.09.22: Critical Microsoft Exchange 0-Day Vulnerability Actively Exploited
Critical Microsoft Exchange 0-Day Vulnerability Actively Exploited
Description
The two vulnerabilities for on-premise Microsoft Exchange have been discovered and are now being tracked as a Server-Side Request Forgery vulnerability, CVE-2022-41040, and a remote code execution vulnerability, CVE-2022-41082. The two vulnerabilities are being exploited together to remotely trigger arbitrary code execution which essentially allows threat actors to gain a foothold in the victim’s systems, enabling adversaries to drop web shells and carry out lateral movements across the compromised network.
Detection
Exchange servers that have been targeted and successfully exploited may have obfuscated web shells dropped onto the server, in the paths listed below, through POST requests coming from a user-agent, Antsword.
| FileName | Path |
| RedirSuiteServiceProxy.aspx | C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth |
| Xml.ashx | C:\inetpub\wwwroot\aspnet_client |
| pxh4HG1v.ashx | C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth |
The following methods can be used to detect if an organization’s Exchange Server has been exploited thanks to the team over at GTSC, a Technology company in Vietnam.
Method 1: Use PowerShell command:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200
Method 2: Use the tool developed by GTSC:
Based on the exploit signature, we build a tool to search with a much shorter time needed than using Powershell. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner
Prevention
There is currently no patch from Microsoft, however, Microsoft is urging customers to add a blocking rule in IIS Manager as a temporary workaround to mitigate potential threats. This can be done by following the steps below.
- Open IIS Manager.
- Select Default Web Site.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rule(s)…
- Select Request Blocking and click OK.
- Add the string “(?=.*autodiscover)(?=.*powershell)” (excluding quotes).
- Select Regular Expression under Using.
- Select Abort Request under How to block and then click OK.
- Expand the rule and select the rule with the pattern: (?=.*autodiscover)(?=.*powershell) and click Edit under Conditions.
- Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK.
References