Two unpatched Microsoft Exchange Server zero days are under attack.
Exploited for a month. No detection in Sentinel, no patch yet. Mitigate urgently.
Two zero days in Microsoft Exchange Server 2013, 2016, and 2019 are under apparently widespread attack in the wild and remain unpatched. They were first identified by a Vietnamese security company GTSC in early August in an incident response callout. It said it “has seen other customers also experiencing the similar problem.”
Microsoft late on September 29 allocated CVEs to the vulnerabilities – CVE-2022-41040, a Server-Side Request Forgery vulnerability and CVE-2022-41082, which allows remote code execution when PowerShell is accessible to the attacker. Earlier Microsoft Exchange vulnerability experience suggests attacks will escalate fast.
Microsoft said: “We are working on an accelerated timeline to release a fix”.
UPDATED October 1: Microsoft is updating mitigation and adding details regularly here. This now includes an Exchange On-premises Mitigation Tool v2 script (EOMTv2.ps1) that can be used to mitigate CVE-2022-41040.
The attack path appears similar to last year's ProxyShell vulnerability which was widely exploited. Exploitation of the new Microsoft Exchange Server zero days needs valid non-admin credentials for any email user.
"Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082" Microsoft added. Blocking ports GTTP: 5985 HTTPS: 5986 can limit attacks.
Redmond does not at the time of publishing have a specific detection query for this issue in Sentinel.
Troublingly, that's despite the vulnerability having been reported to the Zero Day Initiative 22 days ago by GTSC security researchers and exploitation having been seen in the wild for over a month.
Given previous rapid wholesale abuse of Microsoft Exchange Server zero days users should move fast to mitigate. (Abuse of the ProxyLogon vulnerabilities was among the key causes of incident response callouts in 2021.)
A Shodan query by security researcher Kevin Beaumont suggested that there were over 44,000 exposed users on Germany and over 45,000 exposed users in the US, with 10,000+ potentially exposed in the UK.
Exchange Online customers are not affected. On-premises Microsoft Exchange customers should review and apply URL Rewrite Instructions and block exposed Remote PowerShell ports Microsoft said.
“The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns” Redmond added. Its guidance is here.
Microsoft Defender Antivirus detects the post exploitation malware currently used in current in-the-wild exploitation of this vulnerability as Backdoor:ASP/Webshell.Y (Backdoor:ASP/Webshell.Y threat description – Microsoft Security Intelligence) and Backdoor:Win32/RewriteHttp.A (Backdoor:Win32/RewriteHttp.A threat description – Microsoft Security Intelligence) Expect a variety of other post-exploitation kits to drop soon too.