Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Trustwave Action Response: Zero Day Vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019

Update Oct. 4: Microsoft released Security Update Guides for these two vulnerabilities. 

Trustwave security teams are aware of two zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) impacting on premises versions of Microsoft Exchange Server 2013, 2016, and 2019 and organizations with Outlook Web Access facing the Internet that, if exploited, can allow an attacker to elevate privilege and remote code execution capability. Exchange online clients do not need to take action.

We immediately investigated the vulnerabilities and potential exploits and continue to monitor the situation. Trustwave infrastructure has not been adversely affected by the vulnerabilities. We are taking a proactive response and actively hunting for the presence of the attacks.

We are diligently watching over our clients for exposure and associated attacks.

We will update this blog as needed with additional information.

Microsoft’s Discovery and Guidance

Microsoft is aware of the issue and reported that a limited number of attacks have taken place. Attacks have been observed since August 2022, although at this stage Microsoft are calling them ‘limited’ with fewer than 10 organizations globally affected. 

Microsoft has not released patches for the vulnerabilities but did release guidance information about these two vulnerabilities on September 30 including some specific mitigation steps.

The issues were first discovered by the GTSC SOC team in Vietnam and reported on September 28. GTSC has tracked the exploitation of these vulnerabilities starting in early August. GTSC's blog includes IOC information that can be used for detection.

What are the Microsoft Exchange Vulnerabilities?

The vulnerabilities are CVE-2022-41040, which is a Server-Side Request Forgery (SSRF) vulnerability used for Elevation of Privilege and CVE-2022-41082, a Remote Code Execution Vulnerability. 

Microsoft's blog notes that for CVE-2022-41040, an attacker must be authenticated and that privileges required for exploitation are low.

In addition, Microsoft Exchange Online clients do not need to take action. However, Exchange Server clients should review and apply the mitigation instructions provided in Microsoft’s blog.

CVE-2022-41082 also requires user authentication and that standard user authentication is sufficient for the attack to work by combining an exploit for elevating privileges. Microsoft further notes an attacker for this vulnerability could target the server accounts in arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

According to GTSC, the exploits were used to install a webshell on the impacted Exchange servers along with other malware.

What Do We Know?

The precise details of the attack have not been released. However, the attacks appear somewhat similar to, the ProxyShell vulnerability (CVE-2021-34473) attacks on Exchange Servers observed in 2021 where a malicious HTTP request are made with “autodiscover/autodiscover.json" string in the URL. Below is an example of the previous ProxyShell request format:

GET /autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com

Similarly, in this case, the observed attack sends a malicious HTTP request triggering the chain of vulnerabilities, which leads to the dropping of web shells and running of arbitrary commands, as in the below diagram, from Microsoft.

19083_picture1

Microsoft said authenticated access to the vulnerable Exchange Server is necessary for an attacker to exploit either vulnerability, although privileges necessary for exploitation are low. Furthermore, it must be stress, this a low barrier for adversaries with access to stolen credentials.

Some of the dropped web shells include the open-source tool Antsword, that supports a web shell, and post exploitation framework SharPyShell. In their original blog, GTSC also observed a backdoor called Dll.dll planted in the Exchange Server that emulates Microsoft Exchange EWS (Exchange Web Services), and listens to connections on port 443 at the path:

https://*:443/ews/web/webconfig/.

This backdoor has wide-ranging functionality including collecting information, executing shellcode and commands, and manipulating files.

Mitigation

Microsoft has issued detailed mitigation steps here.

The main mitigation step outlined here is to add a URL Rewrite blocking rule in IIS which looks for and blocks the following string:

".*autodiscover\.json.*\@.*Powershell.*"

Microsoft also advise disabling PowerShell access for non-admin users in your organization.

Recommendations

While attacks may be limited to date, given the nature and publicity of attacks, it is likely cybercriminals will add the attacks to their arsenals and we shall see more such attacks soon. Trustwave recommends:

  • Putting in place recommended mitigations as detailed by Microsoft
  • Scanning IIS logs for signs of malicious http requests
  • Scanning Exchange Servers for IOCs and dropped artifacts

Helpful Resources

GTSC Blog - Warning: New Attack Campaign Utilized a New 0-Day RCE Vulnerability on Microsoft Exchange Server

Microsoft Security Blog - Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

Microsoft Exchange Team - Blog - Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

Additional Microsoft Customer Guidance

CVE-2022-41040 - Security Update Guide - Microsoft - Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2022-41082 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability

Latest SpiderLabs Blogs

Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense

On March 4, 2024, the Telegram channel of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) was updated with assertions that they executed a successful cyberattack...

Read More

Cost Management Tips for Cyber Admins

As anyone who has filled out an expense report can tell you, cost management is everyone's responsibility. Organizations must apply a careful balance of budget planning and expenditures that are in...

Read More

Resurgence of BlackCat Ransomware

Updated March 8: Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after...

Read More