Microsoft confirms new Exchange zero-days are used in attacks

Microsoft confirms new Exchange zero-days are used in attacks
By Sergiu Gatlan
September 30, 2022 04:18 AM 8
Microsoft Exchange

Microsoft has confirmed that two recently reported zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 are being exploited in the wild.

"The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker," Microsoft said.


"At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems."

The company added that the CVE-2022-41040 flaw can only be exploited by authenticated attackers. Successful exploitation then allows them to trigger the CVE-2022-41082 RCE vulnerability.

Microsoft says Exchange Online customers don't need to take any action at the moment because the company has detections and mitigation in place to protect customers.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," Microsoft added.

According to Vietnamese cybersecurity outfit GTSC, who first reported the ongoing attacks, the zero-days are chained to deploy Chinese Chopper web shells for persistence and data theft and to move laterally through the victims' networks.

GTSC also suspects that a Chinese threat group might be responsible for the ongoing attacks based on the web shells' code page, a Microsoft character encoding for simplified Chinese.

The threat group also manages the web shells with the Antsword Chinese open-source website admin tool, as revealed by the user agent used to install them on compromised servers.

Mitigation available
Redmond has also confirmed mitigation measures shared yesterday by GTSC, whose security researchers also reported the two flaws to Microsoft privately through the Zero Day Initiative three weeks ago.

"On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports," Microsoft added.


"The current mitigation is to add a blocking rule in "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to block the known attack patterns."

To apply the mitigation to vulnerable servers, you will need to go through the following steps:

Open the IIS Manager.
Expand the Default Web Site.
Select Autodiscover.
In the Feature View, click URL Rewrite.
In the Actions pane on the right-hand side, click Add Rules.
Select Request Blocking and click OK.
Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions.
Change the condition input from {URL} to {REQUEST_URI}
Since the threat actors can also gain access to PowerShell Remoting on exposed and vulnerable Exchange servers for remote code execution via CVE-2022-41082 exploitation, Microsoft also advises admins to block the following Remote PowerShell ports to hinder the attacks:

HTTP: 5985
HTTPS: 5986
GTSC said yesterday that admins who want to check if their Exchange servers have already been compromised could run the following PowerShell command to scan IIS log files for indicators of compromise:

Get-ChildItem -Recurse -Path -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'