ProxyNotShell: Detecting CVE-2022-41040 and CVE-2022-41082, Novel Microsoft Exchange Zero-Day Vulnerabilities Actively Exploited in the Wild
Table of contents:
Stay on alert! Cybersecurity researchers have recently revealed new Microsoft Exchange zero-day vulnerabilities aka ProxyNotShell tracked as CVE-2022-41040 and CVE-2022-41082 that are currently actively exploited in the wild. The newly uncovered bugs in Microsoft Exchange Server can be paired together in the exploit chain to spread Chinese Chopper web shells on the targeted servers. According to the researchers, these zero-day attacks can be attributed to Chinese hackers.
Detect Attempts to Exploit ProxyNotShell Vulnerabilities: Critical Zero-Days in Microsoft Exchange Server
Adversary campaigns exploiting zero-day vulnerabilities in real-world attacks require ultra-responsiveness from cyber defenders. To help organizations proactively defend against attacks of such scale, SOC Prime’s Detection as Code platform has recently released a set of curated Sigma rules for Microsoft Exchange zero-day exploit detection known as ProxyNotShell vulnerabilities due to their similar. All detection algorithms are available for streamlined search via the “ProxyNotShell” tag based on the name zero-days received due to their similarities with the infamous ProxyShell flaws.
Sigma rules in the provided detection stack can be used across industry-leading SIEM, EDR, and XDR solutions matching the organization-specific environment needs.
Click the Explore Detections button to instantly reach the list of relevant Sigma rules enriched with MITRE ATT&CK references, CTI links, and other relevant cyber threat context.
New Microsoft Exchange Zero-Days aka ProxyNotShell: Attack Analysis and Mitigation
Zero-day vulnerabilities in Exchange Server tend to cause a stir in the cyber threat arena by posing a serious threat to global organizations leveraging this popular Microsoft application. Researchers at Vietnamese cybersecurity outfit GTSC have recently discovered new zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. As GTSC researchers report, the revealed zero-days can be chained together to download Chinese Chopper web shells enabling attackers to steal sensitive data and perform lateral movement across the compromised environment. The malicious activity is linked to a Chinese hacking collective based on the code page containing web shells and the use of AntSword, a Chinese open-source website management utility. Cybersecurity researchers at GTSC have noted that requests in the latest exploit chain targeting the Microsoft Exchange application display similarities with those leveraged in cyber-attacks weaponizing ProxyShell vulnerabilities.
To take immediate action, GTSC has released a warning reporting of an ongoing attack campaign leveraging one of these zero-day flaws by attackers to perform remote code execution (RCE). Cybersecurity researchers have privately submitted this critical information about uncovered security vulnerabilities to Microsoft via Zero Day Initiative, which has identified these flaws as ZDI-CAN-18333 and ZDI-CAN-18802.
On September 29, 2022, the Microsoft Security Response Center issued customer guidance for reported Microsoft Exchange zero-day vulnerabilities with a list of mitigations to remediate the threat. The first flaw is a Server-Side Request Forgery (SSRF) vulnerability tracked as CVE-2022-41040, while the second one, known as CVE-2022-41082, enables adversaries to perform RCE using PowerShell. After gaining authenticated access to Microsoft Exchange Server and leveraging the CVE-2022-41040, threat actors can also trigger the second vulnerability leading to an exploit chain.
According to the customer guidance, online customers leveraging Microsoft Exchange are not required to take immediate action since the disclosed zero-day bugs affect only on-premises applications. As mitigation measures, on-premises application users are recommended to follow a provided set of URL Rewrite Instructions and block compromised Remote PowerShell ports, including HTTP: 5985 and HTTPS: 5986.
MITRE ATT&CK® Context
To dive into the context of Microsoft Exchange zero-days used in the ongoing attacks, the above-mentioned Sigma rules are mapped to the MITRE ATT&CK® framework addressing the corresponding tactics and techniques: