Microsoft Exchange Server Zero-Day Exploit
defence newsGTSC researchers reported the newly identified vulnerabilities (ZDI-CAN-18333 CVSS: 8.8, ZDI-CAN-18802 CVSS 6.3) to the Zero Day Initiative (ZDI) with the aim to request Microsoft to publish a patch urgently.
Microsoft officially identified the new vulnerabilities as CVE-2022-41082 (Remote Code Execution) and CVE-2022-41040 (Server-Side Request Forgery).
After the execution of the exploit, threat actors drop web shells into the compromised Exchange Server to gain initial access to the victim's infrastructure. GTSC claims that, based on their analysis, the threat actors use China Chopper web shell and a Chinese-based open-source platform to manage the installed web shells (i.e., Antsword). The China Chopper web shell was also abused by the attacker group Hafnium after ProxyShell exploitation. However, also other types of web shells are abused by the threat actors (e.g., SharPyShell) after successfully exploiting Microsoft Exchange. The following table shows the identified web shells.
| File path | File Name |
| RedirSuiteServiceProxy.aspx | C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth |
| Xml.ashx | C:\inetpub\wwwroot\aspnet_client |
| pxh4HG1v.ashx | C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth |
Following the execution of a web shell, threat actors evade security defenses by injecting malicious DLLs into memory and moving laterally into the compromised infrastructure through Windows Management Instrumentation (WMI). The following table shows the malicious file used by threat actors after gaining initial access:
| File Name | File path |
| DrSDKCaller.exe | C:\root\DrSDKCaller.exe |
| all.exe | C:\Users\Public\all.exe |
| dump.dll | C:\Users\Public\dump.dll |
| ad.exe | C:\Users\Public\ad.exe |
| gpg-error.exe | C:\PerfLogs\gpg-error.exe |
| cm.exe | C:\PerfLogs\cm.exe |
| msado32.tlb | C:\Program Files\Common Files\system\ado\msado32.tlb |
Organizations that have adopted Microsoft 365 (O365) or have implemented a hybrid architecture with O365 and a non-exposed Microsoft Exchange on-prem server are not directly impacted by these attacks since threat actors are actively targeting exposed Microsoft Exchange servers. Therefore, the main risk of being compromised is for the organizations that expose Outlook Web Appon the internet.
Detection actions
With the aim to detect potential attempts to exploit the Exchange vulnerabilities, organizations can perform the following threat hunting activities:
- PowerShell Search: Execute the following command line through an administrative PowerShell process:
- Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200
- GTSC NCSE0Scanner: Execute the open-source tool developed by GTSC that can be downloaded at the following link:
- Sigma Rule: Implement detection rules and execute the following sigma rules that can be useful to detect this attack scenario:
- IOCSearch: Implement detection rules and execute specific queries on the security technologies adopted to hunt and alert for the IOCs reported in the relative paragraph.
Prevention countermeasures
Until Microsoft provides an official patch, SEC Consult highly recommends to its customer and the wider community to consider implementing the following "hot-fix" remediation actions, after making sure that they will not impact the availability of the mail service, to reduce the risk of being compromised through the identified zero-day. In order to prevent potentially malicious web requests, organizations can add a blocking rule into the IIS Manager through the URL Rewrite Rule functionality, as described following:
1. Open Internet Information Service (IIS) Manager and select "Request blocking" from the "Add Rule(s)" tab.
2. Specify the string ".*autodiscover\.json.*Powershell.*"into the URL Path attribute.
3. Indicate "{REQUEST_URI}" in the "Condition input" attribute.
It is also suggested to block the access to PowerShell Remotingfor non-admin users through the following guide:
Finally, it is strongly suggested to block in the security technologies adopted the indicators of compromise (IOCs) reported in the relative paragraph.
Indicators of Compromise (IOCs)
The following table shows the indicators of compromise related to the threat actors who are currently exploiting the Microsoft Exchange zero-day vulnerability.
| IoC | Type | Description |
| 5[.]180[.]61[.]17 | IP address | Command and Control |
| 47[.]242[.]39[.]92 | IP address | Command and Control |
| 61[.]244[.]94[.]85 | IP address | Command and Control |
| 86[.]48[.]6[.]69 | IP address | Command and Control |
| 86[.]48[.]12[.]64 | IP address | Command and Control |
| 94[.]140[.]8[.]48 | IP address | Command and Control |
| 94[.]140[.]8[.]113 | IP address | Command and Control |
| 103[.]9[.]76[.]208 | IP address | Command and Control |
| 103[.]9[.]76[.]211 | IP address | Command and Control |
| 104[.]244[.]79[.]6 | IP address | Command and Control |
| 112[.]118[.]48[.]186 | IP address | Command and Control |
| 122[.]155[.]174[.]188 | IP address | Command and Control |
| 125[.]212[.]220[.]48 | IP address | Command and Control |
| 125[.]212[.]241[.]134 | IP address | Command and Control |
| 137[.]184[.]67[.]33 | IP address | Command and Control |
| 185[.]220[.]101[.]182 | IP address | Command and Control |
| 194[.]150[.]167[.]88 | IP address | Command and Control |
| 206[.]188[.]196[.]77 | IP address | Command and Control |
| 212[.]119[.]34[.]11 | IP address | Command and Control |
| c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 | SHA256 | Web Shell |
| 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5 | SHA256 | Web Shell |
| b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca | SHA256 | Web Shell |
| c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 | SHA256 | Web Shell |
| be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257 | SHA256 | Web Shell |
| 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 | SHA256 | Malicious DLL |
| 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 | SHA256 | Malicious DLL |
| 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 | SHA256 | Malicious DLL |
| 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 | SHA256 | Malicious DLL |
| c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 | SHA256 | Malicious DLL |
| 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e | SHA256 | Malicious DLL |
References
- https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps
- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
- https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
- https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_exchange_proxyshell.yml
- https://www.zerodayinitiative.com/advisories/upcoming/#:~:text=by%3A%20Marcin%20Wiazowski-,ZDI%2DCAN%2D18333,-Microsoft
- https://www.zerodayinitiative.com/advisories/upcoming/#:~:text=Zero%20Day%20Initiative-,ZDI%2DCAN%2D18802,-Microsoft
- https://www.bleepingcomputer.com/news/security/new-microsoft-exchange-zero-days-actively-exploited-in-attacks/
- https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html
- https://securityaffairs.co/wordpress/136433/hacking/microsoft-exchange-zero-day-2.html