Microsoft has confirmed that two recently identified zero-days in Microsoft Exchange Server 2013, 2016, and 2019 are being used in ongoing attacks. According to Microsoft, “The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.” Microsoft added that CVE-2022-41040 can only be exploited by authenticated attackers. Successful exploitation then allows them to trigger the CVE-2022-41082 RCE vulnerability. According to researchers at GTSC, the zero-days are chained to deploy Chinese Chopper web shells for persistence and data theft and to move laterally through the victims’ networks. Researchers also believe that the ongoing attacks are likely the work of a Chinese threat actor.
Analyst Notes
Microsoft Exchange Online has mitigations in place for these vulnerabilities. According to Microsoft, on premises Microsoft Exchange customers should review and apply the following URL Rewrite blocking rule:
- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String “.*autodiscover.json.*@.*Powershell.*” (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern “.*autodiscover.json.*@.*Powershell.*” and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}
It is also recommended to block the following Remote PowerShell ports
- HTTP: 5985
- HTTPS: 5986
Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-new-exchange-zero-days-are-used-in-attacks/
