December 11, 2023

Attackers are seen using two zero-day vulnerabilities CVE-2022-41040, CVE-2022-41082 to exploit  Microsoft Exchange servers.

Vietnamese cybersecurity company GTSC released a warning saying that, it has detected exploit requests in IIS logs with the same format as ProxyShell vulnerability.

CVE-2022-41040 is a Server-Side Request Forgery vulnerability and CVE-2022-41082 allows remote code execution when PowerShell is accessible to the attacker, Microsoft explained.

CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. An authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.

The vulnerabilities affect Microsoft Exchange Server versions 2013, 2016, and 2019.

Unfortunately, even though the Vietnamese researchers notified Microsoft (via Trend Micro’s Zero Day Initiative) about the flaws several weeks ago, there are no patches yet.

Initially researches thought that the attackers were exploiting the ProxyShell vulnerability, but further analysis proved that the targeted MS Exchange servers were up-to-date with the patches, so the theory of ProxyShell being exploited was discarded.

The ultimate goal of the attackers was to create backdoors on the affected system and perform lateral movements to other servers in the system.

A sweep of the internet found using Shodan that there are nearly 250,000 vulnerable Exchange servers exposed on the internet.

Blocking the ports used for Remote PowerShell can limit these attacks. 

  • HTTP: 5985 
  • HTTPS: 5986 

The steps to add the blocking rule are as follows –

  1. Open the IIS Manager
  2. Expand the Default Web Site
  3. Select Autodiscover
  4. In the Feature View, click URL Rewrite
  5. In the Actions pane on the right-hand side, click Add Rules
  6. Select Request Blocking and click OK
  7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK
  8. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions
  9. Change the condition input from {URL} to {REQUEST_URI}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d