New zero-day vulnerabilities in fully patched Microsoft Exchange servers are under active exploitation according to Vietnam-based cybersecurity company GTSC. They were discovered in August and allow for remote code execution on affected systems. Researchers suspect that Chinese hackers are responsible for the exploit.
Known as CVE-2022-41040 and CVE-2022-41082, the pair of vulnerabilities are being actively exploited in real-world attacks that researchers say could give the hacker foothold in the victim’s system by dropping web shells and using them to carry out movements across a compromised network.
In a blog post on the exploits, Microsoft says it is actively investigating and says it is only aware of “limited targeted attacks” using them to get into users’ systems and that verified user credentials are required by the hacker to use the exploits.
It was first spotted by a team from GTSC during a routine security monitoring and incident response exercise for a client last month. They noticed a number of obfuscated webshells in Exchange servers that were similar to a ProxyShell exploit that had been patched a year earlier.
“Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based open source cross-platform website administration tool that supports web shell management,” researchers said in a blog post on the discovery.
Chinese hackers behind Exchange vulnerability?
The group believes it is likely a Chinese hacking group is involved in running this zero-day exploit as the webshells were encoded in simplified Chinese and among those attacks was the China chopper web shell. This is a lightweight backdoor that gives a hacker persistent remote access to a device to give them more time to continue exploring and exploiting the system.
The China chopper web shell has previously been deployed by Hafnium, a Chinese state-sponsored hacking group, that actively used it to exploit the ProxyShell vulnerabilities last year before Microsoft issued a patch.
Content from our partners
As well as dropping webshells in IIS, GTSC found these zero-day exploits were allowing for the injection of malicious DLLs into memory that would then drop and execute additional payloads on the server by making use of the WMI command-line tool.
They believe multiple organisations have been hit by active campaigns utilising these exploits but didn’t go into any more detail on how they’re being used or against which companies as it is still an active flaw.
Meet ProxyNotShell
Dubbed ‘ProxyNotShell’ by cybersecurity expert Kevin Beaumont, the new exploits follow the same path as ProxyShell but with added authentication. Writing on his Medium blog, Beaumont said organisations not running Exchange on site and which don’t have the web app facing the internet won’t be impacted by the exploit.
Microsoft says CVE-2022-41040 can enable an authenticated attacker to trigger the second exploit, CVE-2022-41082 that impacts the PowerShell handler, although no specific details have been released as it is an active exploit.
“We are working on an accelerated timeline to release a fix,” Microsoft said in a blog post, issuing mitigation measures that can help organisations protect themselves from attack, adding that “Microsoft Exchange Online has detections and mitigation in place to protect customers. Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers.”
Exchange Online users aren’t impacted but those running Exchange on site need to review settings and apply a URL rewrite that blocks exposed remote PowerShell ports. “The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns,” Microsoft says.
It adds: “Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.” For HTTP block port 5985 and for HTTPS block 5986.
