We are working on an accelerated timeline to release a fix. Until then, we’re providing mitigations and the detection guidance below to help customers protect themselves from these attacks. - reads Microsoft Advisory as published on 29th September 2022.
Microsoft has publicly reported two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.An attacker would need authenticated network access for the successful exploitation of both these vulnerabilities. According to researchers, the attack appears to be a variant of last year's infamous ProxyShell exploit chain.
According to Vietnamese cybersecurity outfit GTSC, who first reported the ongoing attacks, two of the zero-days are chained to deploy Chinese Chopper web shells for persistence and data theft and to move laterally through the victim's networks.
MS have issued two new CVEs overnight.
— Kevin Beaumont (@GossiTheDog) September 30, 2022
The path for #ProxyNotShell is strikingly similar to ProxyShell, same as vuln classes. The detections from 2021 I wrote in the blog still work for ProxyNotShell.
https://t.co/KV32TDxawi
Microsoft states that Microsoft Exchange Online Customers do not need to take any action, while it provided mitigation for on-premises Microsoft Exchange customers.
How to Detect
Check if your Exchange Servers have been compromised by exploiting these flaws,
Method 1: Use PowerShell command:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200
<Path_IIS_Logs> = Default path is %SystemDrive%\inetpub\logs\LogFiles folder, however, you need to check for your configured path.
Method 2: Use the tool developed by MS GTSC
Based on the exploit signature, searching in a much shorter time can be achieved by using the tool NCSEE0 Scanner. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner
Temporary Mitigation
Below is the step-by-step procedure provided by Microsoft to mitigate the risk of exploitation for the above issues:
- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String
.*autodiscover\.json.*\@.*Powershell.*and click OK. - Expand the rule and select the rule with the Pattern
.*autodiscover\.json.*\@.*Powershell.*and click Edit under Conditions. - Change the condition input from {URL} to {REQUEST_URI}
- Microsoft also recommends customers block the following Remote PowerShell ports:
- HTTP: 5985
- HTTPS: 5986
References:
