New Zero-Day Exploit Targets Microsoft Exchange Servers

Overview

A new zero-day Microsoft Exchange server vulnerability was disclosed by researchers from the Vietnamese cyber security vendor GTSC. GTSC reports that a Chinese threat actor group is exploiting a Proxy-Shell-like that allows attackers to enable remote execution of commands on a compromised server. The attackers are chaining a pair of zero-days to deploy China Chopper webshell for persistence and data theft, as well as move laterally to other systems on victim’s networks.

"The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system," the researchers said. The user agent used to install the web shells also belongs to Antsword, a Chinese-based open-source website admin tool with web shell management support.

Researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues. Attackers are leveraging two zero-day vulnerabilities (CVE-2022-41040, CVE-2022-41082) to breach Microsoft Exchange servers ("ZDI verified and acknowledged 2 bugs, whose CVSS scores are 8.8 and 6.3)." The Indicators of Compromise appear to be very similar to proxy shell exploits last seen in March and August 2021.

The exploit works in two stages:

1.      Requests with a similar format to the ProxyShell vulnerability: autodiscover/[email protected]/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%[email protected].

2.      The use of the link above to access a component in the backend where the RCE could be implemented.

"The version number of these Exchange servers showed that the latest update had already installed, so an exploitation using Proxyshell vulnerability was impossible," the researchers said.

The vulnerability was submitted to Microsoft on September 29th and has already been seen actively exploited in the wild. Tweets posted by researcher Kevin Beaumont confirms “significant numbers of Exchange servers have been backdoored.”

Vice president of Qualys, Travis Smith, stated that he expects the exploitation of the vulnerability to escalate in the next few days.

Potential Impact

If this exploit is verified as a zero-day exploit on fully patched Microsoft Exchange servers, it is potentially quite disruptive. ProxyShell exploitation has been a favourite of ransomware threat actor groups since the disclosure of Microsoft Exchange vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 in May of 2021.

Mitigation

Though Microsoft has not released a patch for this vulnerability, there is a known workaround that will block exploitation attempts. Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module. Steps are as follows:

  • Within IIS for the FrontEnd Autodiscover site, select an option to add a request blocking rule.

  • Ensure that the rule will block access based on “URL Path”.

  • Add the string “.*autodiscover.json.*@.*Powershell.*” (without quotes).

  • Ensure that the rule is using regular expressions.

  • For the condition input, select {REQUEST_URI}.

Please note that Improsec has not independently confirmed this mitigation. However, researchers from GTSC claim these compensating steps should block the known indicator of attacker activity. Administrators should pay very close attention to incoming traffic to on-premises Microsoft Exchange servers for potential signs of compromise. Additionally, paying close attention to the future directions from Microsoft are imperative to securing servers.

UPDATE: Oct 4th 2022

According to an article by securityweek.com, a researcher identified as Janggggg tweeted a screenshot on twitter showing the mitigations proposed by GTSC can easily be bypassed. Jang has proposed a similar rule that 'should' work (.*autodiscover\.json.*Powershell.*). The securityweek article notes that "Since exploitation of the vulnerabilities requires authentication, mass exploitation is unlikely at this point, but the flaws can be very valuable in targeted attacks. Some members of the cybersecurity community have released open source tools on github that can be used to detect the presence of the vulnerabilities." Patches for these vulnerabilities have yet to be released, but Microsoft says it’s working on fixes on an accelerated timeline.

In the meantime, Improsec recommends those affected by this vulnerability continue to follow the Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server on msrc-blog.microsoft.com for the latest recommendations and mitigations.

References

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

https://github.com/CronUp/Vulnerabilidades/blob/main/proxynotshell_checker.nse

https://github.com/smokeme/ProxyNotShell

https://www.securityweek.com/mitigation-proxynotshell-exchange-vulnerabilities-easily-bypassed

https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

https://www.zerodayinitiative.com/advisories/upcoming/

https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper

https://greycastlesecurity.com/resources/weekly-threat-intelligence-briefing/special-alert-092922/?utm_campaign=Threat_Intel_Briefing_%E2%80%93_Special_Alert_092922_-_Possible_Microsoft_Exchange_Zero-Day_Vulnerability_Exploitation&utm_medium=Twitter&utm_source=SocialPromoter

https://www.bleepingcomputer.com/news/security/new-microsoft-exchange-zero-days-actively-exploited-in-attacks/

https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html

https://www.mandiant.com/sites/default/files/2021-09/rpt-china-chopper.pdf

https://www.protocol.com/bulletins/microsoft-exchange-zero-day-vulnerability

Suspicious Files

On the servers, we detected suspicious files of exe and dll formats

FileName

Path

DrSDKCaller.exe

C:\root\DrSDKCaller.exe

all.exe

C:\Users\Public\all.exe

dump.dll

C:\Users\Public\dump.dll

ad.exe

C:\Users\Public\ad.exe

gpg-error.exe

C:\PerfLogs\gpg-error.exe

cm.exe

C:\PerfLogs\cm.exe

msado32.tlb

C:\Program Files\Common Files\system\ado\msado32.tlb

Malware Analysis

DLL information

File name: Dll.dll

Sha256:

074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82

45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9

9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0

29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3

c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

IP:

125[.]212[.]220[.]48

5[.]180[.]61[.]17

47[.]242[.]39[.]92

61[.]244[.]94[.]85

86[.]48[.]6[.]69

86[.]48[.]12[.]64

94[.]140[.]8[.]48

94[.]140[.]8[.]113

103[.]9[.]76[.]208

103[.]9[.]76[.]211

104[.]244[.]79[.]6

112[.]118[.]48[.]186

122[.]155[.]174[.]188

125[.]212[.]241[.]134

185[.]220[.]101[.]182

194[.]150[.]167[.]88

212[.]119[.]34[.]11

URL:

hxxp://206[.]188[.]196[.]77:8080/themes.aspx

C2:

137[.]184[.]67[.]33IP:

125[.]212[.]220[.]48

5[.]180[.]61[.]17

47[.]242[.]39[.]92

61[.]244[.]94[.]85

86[.]48[.]6[.]69

86[.]48[.]12[.]64

94[.]140[.]8[.]48

94[.]140[.]8[.]113

103[.]9[.]76[.]208

103[.]9[.]76[.]211

104[.]244[.]79[.]6

112[.]118[.]48[.]186

122[.]155[.]174[.]188

125[.]212[.]241[.]134

185[.]220[.]101[.]182

194[.]150[.]167[.]88

212[.]119[.]34[.]11

Get in touch Today for a safer Tomorrow…