Two New Exchange Zero-Days Raise Questions About Microsoft Security
Microsoft finally issued CVEs—CVE-2022–41040 and CVE-2022–41082—for two new zero-day vulnerabilities in Exchange, ending a few days of speculation that the duo were, in fact, ProxyShell flaws uncovered in 2021.
“I am calling this ProxyNotShell, as it is the same path and SSRF/RCE pair from back then … but with authentication,” security researcher Kevin Beaumont wrote in a blog post, noting that he could “say for sure that attacks have been happening on Exchange servers which match these patterns.”
The vulnerabilities first came to light in a blog post from GTSC researchers, who discovered that critical infrastructure was under attack as they were doing security monitoring and incident response at the beginning of August 2022. “During the investigation, GTSC Blue Team experts determined that the attack utilized an unpublished Exchange security vulnerability, i.e., a [zero]-day vulnerability, thus immediately came up with a temporary containment plan,” the researchers wrote. “At the same time, Red Team experts started researching and debugging Exchange decompiled code to find the vulnerability and exploit code.”
GTSC attributed its quick discovery of the flaw’s exploitation to its intimacy with Exchange code flows and processing mechanisms. “The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,” they said. After submitting the vulnerability to the Zero-Day Initiative (ZDI), it was verified and the two bugs were assigned CVSS scores of 8.8 and 6.3.
“After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim’s system,” researchers said, and its attack team used a number of techniques “to create backdoors on the affected system and perform lateral movements to other servers in the system.”
They found webshells, “mostly obfuscated, being dropped to Exchange servers. Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based open source cross-platform website administration tool that supports webshell management.”
Microsoft on Tuesday confirmed it is investigating the two bugs, which the company said affect Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019.
“The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” the Microsoft Security Response Center said in a blog post.
Microsoft said it knows of “limited targeted attacks” exploiting the two vulnerabilities. “In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082,” they wrote. “It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.”
Beaumont said GTSC researchers “do have a significant find in the malware, which attempts to emulate Microsoft Exchange EWS service.”
Microsoft Security Threat Intelligence teams issued a Microsoft Security blog that details the observed activity and offers detection and hunting guidance.
The company said it’s “working on an accelerated timeline” to ready and release a fix.
“Another [zero]-day in Microsoft being exploited in the wild? “ said AJ Grotto, former White House Director for Cyber Policy on the National Security Council during the Obama administration. “This keeps happening to Microsoft. Something is clearly wrong.”
