Executive Summary

The Fortis Threat Intelligence Team has been monitoring the emerging news of active exploitation of two new Microsoft Exchange zero-day vulnerabilities. A write-up of this vulnerability was initially reported by Vietnamese cybersecurity company GTSC. The vulnerabilities were initially reported to the Zero Day Initiative (ZDI) and assigned ZDI-CAN-18333 and ZDI-CAN-18802. Microsoft released a public statement on 9/30/22 confirming these reports and identifying these vulnerabilities as an exploit chain using an authenticated server-side request forgery (SSRF) and a remote code execution (RCE) vulnerability which have been assigned as CVE-2022-41040 and CVE-2022-41082 respectively. The Fortis team has been actively threat hunting as of 9/29/22 and has taken steps to add indicators of compromise to block lists in its MSSP tenant spaces. 

There is currently no fix available, but Microsoft has released mitigation guidance and states that it is working on an accelerated timeline. On-premise and hybrid Exchange environments are the only environments impacted. Microsoft Exchange Online customers do not need to take any action at this time.

The Fortis team recommends following the mitigation advice provided by Microsoft for on-premise and hybrid Exchange servers and performing the hunting and mitigation steps outlined in the Next Steps section below. This is a developing situation; read on for additional details.

Vulnerability Details

The GTSC team has reported in its blog post that they observed ProxyShell-formatted exploit requests within IIS logs and found the ability to perform command execution within other log sources. Their blue team also reported that they are observing other customers reporting a similar problem. The blog then goes on to mention that their red team was able to perform remote code execution but that they will not yet be releasing the technical details of the vulnerability. Review of reporting from others in the security and intelligence community have not revealed any proof-of-concept scripts or additional details on tooling.

Microsoft has stated that authenticated access to a vulnerable server is required to exploit either one of these new vulnerabilities. Per the Microsoft report, “CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.” 

There are reports of limited targeted attacks exploiting this activity—some of which have been used to drop the “Chinese Chopper” webshell. While attribution to a Chinese activity group has been suspected by GTSC, the Fortis Threat Intelligence team will not comment on these assessments at this time.

Fortis ActiveDefense Detection Coverage

After reviewing the available blog post released by GTSC as well as community intelligence, the Fortis ActiveDefense platform has comprehensive coverage for the behavioral indicators and MITRE ATT&CK mapping provided by GTSC. Due to the perceived similarity with the ProxyShell vulnerability, native vendor coverage for similar detections and post-exploitation activity has matured since ProxyShell’s initial release in 2021. Fortis customers utilizing Microsoft Defender for Endpoint or Microsoft Defender Antivirus should be advised that both solutions currently detect post-exploitation activity from these vulnerabilities. Specific Trend Micro solutions also currently have detection coverage for this activity.

The Fortis by Sentinel SOC team is also performing around-the-clock dedicated threat hunting for the indicators provided by GTSC. If any suspicious activity around these indicators of compromise is found, a SOC analyst will be in touch. We have also been performing proactive blocking of reported indicators of compromise within our managed MSSP tenant spaces as of 9/29/22 to protect our customers during this developing situation.

Next Steps

GTSC has provided two methods for checking your environment to determine whether an Exchange server has been compromised—a PowerShell script and a scanner hosted on Github. There are also two Azure Sentinel hunting queries available to hunt for both SSRF and the RCE activity associated with these vulnerabilities. We recommend reviewing these methods and performing the appropriate detection steps in your environment to discover any compromised hosts. The Microsoft communication contains detailed mitigation steps, and the GTSC blog post also provides its own mitigation measures under the Temporary Containment Measures heading. Please see the links provided below for full details.

Additional indicators of compromise are available in the GTSC blog post. We recommend adding these to blocklists in your environment as appropriate. The Fortis team will continue vigilantly threat hunting and monitoring the situation and will advise customers of developments as they are received and vetted by the Threat Intelligence team.

Additional Recommendations and Best Practices

Aging Exchange vulnerabilities continue to be a popular vector for attack as many Exchange servers remain unpatched following the initial exploitation of the ProxyShell vulnerability in 2021. We recommend ensuring that your environment remains patched and appropriately hardened against attacks targeted at Exchange vulnerabilities and ensuring that a comprehensive vulnerability scanning solution is in place to proactively identify vulnerable assets in your environment.

As the number of cyberattacks continues to increase at an exponential level, the Fortis team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats.  Our Incident Response team is always ready to engage at (844) 297-4853.

References and Additional Reading

-Microsoft statement

-Original GTSC blog post

-Azure Sentinel hunting queries

-Trend Micro security alert