Worried About the Exchange Zero-Day? Here’s What to Do

Microsoft has confirmed that two new zero-day vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) are being exploited in “limited, targeted attacks.” If an official patch is not available, organizations should check their environment for signs of exploitation and then apply emergency mitigation steps.

  • CVE-2022-41040 — Server-side request forgery that allows authenticated attackers to make requests impersonating the affected machine
  • CVE-2022-41082 — Remote code execution that allows authenticated attackers to execute arbitrary PowerShell.

“Currently, there are no known proof-of-concept scripts or exploits available in the wild,” wrote John Hammond, a threat hunter at Huntress. However, that just means the clock is ticking. With renewed focus on the vulnerability, it is only a matter of time before new exploits or proof-of-concept scripts become available.

Steps to Detect Exploitation

The first vulnerability—the server-side request forgery flaw—can be used to achieve the second—the remote code execution vulnerability—but the attack vector requires the adversary to already be authenticated on the server.

According to the GTSC, organizations can check if their Exchange servers have already been exploited by running the following PowerShell command:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*Autodiscover\.json.*\@.*200

GTSC has also developed a tool to search for signs of exploitation and published it on GitHub. This list will be updated as other companies release their tools.

Microsoft-specific tools

  • According to Microsoft, there are queries in Microsoft Sentinel that could be used to hunt down this specific threat. One such query is Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell. The new Exchange Server Suspicious File Downloads query specifically looks for suspicious downloads in IIS log files.
  • Alerts from Microsoft Defender for Endpoint regarding possible web shell installation, possible IIS web shell, suspicious execution of Exchange processes, possible exploitation of Exchange Server vulnerabilities, suspicious processes indicating a web shell, and possible IIS compromise may also indicate that the Exchange Server has been compromised via the two vulnerabilities.
  • Microsoft Defender will detect the post-exploitation attempts like Backdoor: ASP/Webshell.Y and Backdoor:Win32/RewriteHttp.A.

Several security vendors have announced updates to their products to detect exploits as well.

Huntress said it monitors approximately 4,500 Exchange servers and is currently investigating those servers for potential signs of exploitation in those servers. “Currently, Huntress has not seen any signs of exploitation or indicators of compromise on our partners’ devices,” Hammond wrote.

Remedial steps to take

Microsoft promised that it is fast tracking a fix. Until then, organizations should apply the following restrictions to Exchange Server to protect their networks.

According to Microsoft, on-premises Microsoft Exchange customers should apply new rules through the URL Rewrite Rule module on the IIS server.

  • In IIS Manager -> Default Site -> Autodiscover -> URL Rewriting -> Actions, select Request Block and add the following string to the URL path:
.*autodiscover\.json.*\@.*Powershell.*

The condition input must be set to {REQUEST_URI}

  • Block ports 5985 (HTTP) and 5986 (HTTPS) as they are used for Remote PowerShell.

If you use Exchange Online:

Microsoft said that Exchange Online customers are not affected and do not need to take any action. However, organizations using Exchange Online are likely to have hybrid Exchange environments with a mix of on-prem and cloud systems. They should follow the above guidance to protect the local servers.

William

Leave a Reply

Your email address will not be published.