Microsoft Exchange Server Zero-Day Exploit

defence news

GSTC cybersecurity researchers warned about two new zero-day vulnerabilities impacting Microsoft Exchange Servers that are actively exploited, allowing an authenticated threat actor to remotely execute arbitrary code (RCE).

GTSC researchers reported the newly identified vulnerabilities (ZDI-CAN-18333 CVSS: 8.8, ZDI-CAN-18802 CVSS 6.3) to the Zero Day Initiative (ZDI) with the aim to request Microsoft to publish a patch urgently.

Microsoft officially identified the new vulnerabilities as CVE-2022-41082 (Remote Code Execution) and CVE-2022-41040 (Server-Side Request Forgery).

After the execution of the exploit, threat actors drop web shells into the compromised Exchange Server to gain initial access to the victim's infrastructure. GTSC claims that, based on their analysis, the threat actors use China Chopper web shell and a Chinese-based open-source platform to manage the installed web shells (i.e., Antsword). The China Chopper web shell was also abused by the attacker group Hafnium after ProxyShell exploitation. However, also other types of web shells are abused by the threat actors (e.g., SharPyShell) after successfully exploiting Microsoft Exchange. The following table shows the identified web shells.

File path File Name
RedirSuiteServiceProxy.aspx C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
Xml.ashx C:\inetpub\wwwroot\aspnet_client
pxh4HG1v.ashx C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth

Following the execution of a web shell, threat actors evade security defenses by injecting malicious DLLs into memory and moving laterally into the compromised infrastructure through Windows Management Instrumentation (WMI). The following table shows the malicious file used by threat actors after gaining initial access:

File Name File path
DrSDKCaller.exe C:\root\DrSDKCaller.exe
all.exe C:\Users\Public\all.exe
dump.dll C:\Users\Public\dump.dll
ad.exe C:\Users\Public\ad.exe
gpg-error.exe C:\PerfLogs\gpg-error.exe
cm.exe C:\PerfLogs\cm.exe
msado32.tlb C:\Program Files\Common Files\system\ado\msado32.tlb

Organizations that have adopted Microsoft 365 (O365) or have implemented a hybrid architecture with O365 and a non-exposed Microsoft Exchange on-prem server are not directly impacted by these attacks since threat actors are actively targeting exposed Microsoft Exchange servers. Therefore, the main risk of being compromised is for the organizations that expose Outlook Web Appon the internet.

Detection actions

With the aim to detect potential attempts to exploit the Exchange vulnerabilities, organizations can perform the following threat hunting activities:

Prevention countermeasures

Until Microsoft provides an official patch, SEC Consult highly recommends to its customer and the wider community to consider implementing the following "hot-fix" remediation actions, after making sure that they will not impact the availability of the mail service, to reduce the risk of being compromised through the identified zero-day. In order to prevent potentially malicious web requests, organizations can add a blocking rule into the IIS Manager through the URL Rewrite Rule functionality, as described following:

1. Open Internet Information Service (IIS) Manager and select "Request blocking" from the "Add Rule(s)" tab.

Figure 1 – IIS Manager request blocking

2. Specify the string ".*autodiscover\.json.*Powershell.*"into the URL Path attribute.

Figure 2 - IIS Manager Add Request Blocking Rule

3. Indicate "{REQUEST_URI}" in the "Condition input" attribute.

Figure 3 - IIS Manager Blocking Rule Input Condition

It is also suggested to block the access to PowerShell Remotingfor non-admin users through the following guide:

Finally, it is strongly suggested to block in the security technologies adopted the indicators of compromise (IOCs) reported in the relative paragraph.


Indicators of Compromise (IOCs)

The following table shows the indicators of compromise related to the threat actors who are currently exploiting the Microsoft Exchange zero-day vulnerability.

IoC Type Description
5[.]180[.]61[.]17 IP address Command and Control
47[.]242[.]39[.]92 IP address Command and Control
61[.]244[.]94[.]85 IP address Command and Control
86[.]48[.]6[.]69 IP address Command and Control
86[.]48[.]12[.]64 IP address Command and Control
94[.]140[.]8[.]48 IP address Command and Control
94[.]140[.]8[.]113 IP address Command and Control
103[.]9[.]76[.]208 IP address Command and Control
103[.]9[.]76[.]211 IP address Command and Control
104[.]244[.]79[.]6 IP address Command and Control
112[.]118[.]48[.]186 IP address Command and Control
122[.]155[.]174[.]188 IP address Command and Control
125[.]212[.]220[.]48 IP address Command and Control
125[.]212[.]241[.]134 IP address Command and Control
137[.]184[.]67[.]33 IP address Command and Control
185[.]220[.]101[.]182 IP address Command and Control
194[.]150[.]167[.]88 IP address Command and Control
206[.]188[.]196[.]77 IP address Command and Control
212[.]119[.]34[.]11 IP address Command and Control
c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 SHA256 Web Shell
65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5 SHA256 Web Shell
b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca SHA256 Web Shell
c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 SHA256 Web Shell
be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257 SHA256 Web Shell
074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 SHA256 Malicious DLL
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 SHA256 Malicious DLL
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 SHA256 Malicious DLL
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 SHA256 Malicious DLL
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 SHA256 Malicious DLL
76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e SHA256 Malicious DLL