Microsoft Exchange Server has two unpatched zero day vulnerabilities that allow threat actors to execute code remotely and forge server-side requests. This text shares the details of the 0-day vulnerabilities, how they came to light, how the attack method works, how Microsoft is handling the security patches, and what you can do to protect yourself from the Microsoft Exchange Server vulnerabilities.
The tech and cybersecurity world is occupied with yet another Microsoft zero day challenge. Microsoft’s Exchange Server has two new zero day vulnerabilities that are being exploited as of now. The zero-day vulnerabilities being tracked as CVE-2022-41040 and CVE-2022-41082 allow threat actors to forge server-side requests and execute code remotely, allowing them to load malicious files and web shells. Here is everything about Microsoft’s Exchange Server vulnerabilities and what you can do to protect yourself.
How were Microsoft Exchange Server Zero-Day Vulnerabilities discovered?
The vulnerabilities were discovered by GTSC, a cybersecurity organization based in Vietnam. Cybersecurity researchers at GTSC monitored the incident and response services and identified critical infrastructure using the Microsoft Exchange application under attack.
The GTSC Blue Team determined that the zero-day vulnerability was a new and unpublished case, and the GTSC Red Team began investigating the vulnerability. The researchers were able to document that the vulnerabilities were significant, allowed threat actors to do RCE (Remote Code Execution) on victim systems, and submitted the findings to ZDI (Zero Day Initiative). ZDI confirmed the two vulnerabilities and assigned them a score of 8.8 and 6.3 on the CVSS (Common Vulnerability Scoring System).
How Do the Microsoft Exchange Server Zero-Day Vulnerabilities Work?
The zero day vulnerabilities discovered in the Microsoft Exchange Server are part of a chained attack approach where the CVE-2022-41040 and CVE-2022-41082 are utilized simultaneously. Similar threats and the widespread exploitation of the 0-day vulnerabilities will likely increase as cybersecurity teams, and threat actors adopt pre-existing Microsoft Exchange Server published research into existing toolkits.
The GTSC Blue Team discovered that the IIS (Internet Information Services) logs contained exploit requests with a similar format as observed in the ProxyShell vulnerability. The technical details of the attack pattern are still kept under wraps until a patch is released, but GTSC claims that it has figured out how the RCE is implemented for the attack and why the exploit requests bear similarities to the ProxyShell bug.
On the other hand, Microsoft highlights that both of these vulnerabilities would require authentication. However, the authentication for the zero day exploits does not require special or admin-level credentials and would work for standard accounts.
Since there are multiple ways of targeting and acquiring usual account credentials, such as password sprays or crypto purchases, the vulnerability poses a severe threat. It will be implemented in similar attacks against the Microsoft Exchange Server. Microsoft also stated that prior Exchange Server vulnerabilities have already been adopted in toolkits by ransomware threat actors, and users should be wary of attacks.
What can Threat Actors Do, Post Exploiting the Microsoft Exchange Zero Day Vulnerability?
The GTSC report also looks into post-exploit activities and how cybercriminals can carry out malicious actions on the victim systems. The attacks are used to collect information and establish a hold in the compromised systems, leaving backdoors and moving to other network servers laterally. The GTSC discovered:
- Web shells: The threat actors utilized the Chinese open source tool, Antsword, to drop web shells to the Microsoft Exchange Servers. Two web shell templates were discovered with Chinese encoding, pointing to a potential Chinese cybercrime group behind the attack.
- Command Execution: Collecting information is just one side of the coin. The threat actors also download malicious files onto the victim systems and inject malicious DLLs (Dynamic Link Library) into the memory. Furthermore, the threat actors drop suspicious files to the Exchange Server that can be executed through WMIC (Windows Management Instrumentation Command-Line Utility).
- Malicious Files: The malicious files dropped on the servers included both exe and dl formats. The files include DrSDKCaller.exe, all.exe, dump.dll, ad.exe, gpg-error.exe, cm.exe, msado32.tlb. The all.exe and dum.dll files dump credentials on the server, followed by the rar.exe file to compress these credential dumps and copy them to the Exchange Server webroot. The cm.exe file resembles the standard Windows command line and is dropped in the C:\ drive.
How is Microsoft Handling the Microsoft Exchange Zero Day Vulnerabilities?
Microsoft investigated the reports of the two zero-day vulnerabilities affecting the Microsoft Exchange Server versions 2013, 2016, and 2019. Microsoft has summarized the two vulnerabilities, i.e., CVE-2022-41040 and CVE-2022-41082, the former being an SSRF (Server-Side Request Forgery) and the latter being an RCE granting PowerShell access to threat actors in the MSTI (Microsoft Security Threat Intelligence) report.
Microsoft knows the targeted attacks exploiting these vulnerabilities and defines their scope as limited. Microsoft also highlights that the threat actors would require authenticated access to exploit the Exchange Server and that their security teams are working round the clock to release a patch.
How to Detect the Microsoft Exchange Server Zero Day Vulnerabilities?
Microsoft highlighted in its report that Microsoft Defender for Endpoint is a proficient tool that can detect post-exploitation activities. Your system could be compromised if you receive an alert for the following indicators of attack:
- Possible web shell installation
- Possible IIS web shell
- Suspicious Exchange Process Execution
- Suspicious processes indicating the presence of a web shell
- Possible IIS compromise
- Possible exploitation of Exchange Server vulnerabilities (Only if AMSI is enabled on the Microsoft Exchange Server)
In addition, the Microsoft Defender Antivirus also detects the specific web shell malware utilized in these zero day vulnerabilities and will alarm you with the following indicators of attack.
- “Chopper” malware detected on an IIS web server
- “Chopper” high-severity malware was detected
How to Protect Against the Microsoft Exchange Server Zero-Day Vulnerabilities?
If you use Microsoft Exchange Online, then there is no action needed on your part. However, if you use the on-premises Microsoft Exchange, you must review and apply URL rewrites. You can rewrite these URLs by opening the IIS Manager and selecting the default website. You can follow the detailed steps in the MSRC (Microsoft Security Response Center) post to apply the URL rewrites capable of breaking these zero day attack chains. If you use Microsoft 365 Defender, you should:
- Turn Cloud-delivered protection on.
- Run EDR in block mode to block malicious threats.
- Enable network protection to limit access to malicious domains and content.
- Turn tamper protection on to prevent threat actors from halting security services.
- Enable investigation and remediation so Microsoft Defender can take rapid action if breaches are detected.
- Utilize device discovery to increase network visibility and identify unmanaged devices.
Microsoft has suffered its fair share of cyberattacks in recent years. The LAPSUS$ data breach of March this year, 2021’s Microsoft Exchange Server data breach, and now these Microsoft Exchange zero-day exploits. But these cyberattacks have also established that Microsoft prevails, which means a proper patch to the zero day vulnerabilities is on the way. Until then, you should follow the above steps and ensure that your systems are free of post-exploit indicators of compromise.