UPDATE 5th October 2022
Added information related to scanning for the vulnerability with Elements Vulnerability Management
UPDATE 4th October 2022
Article updated to explain that hybrid on-premise Exchange / Microsoft Exchange Online solutions, used by many organizations, are still potentially vulnerable.
UPDATE 3rd October 2022
Updated the list of detections for WithSecure Elements Endpoint Detection and Response & WithSecure Countercept Managed Detection and Response.
UPDATE 1st October 2022
Microsoft have released a Mitigation script that will help in mitigating CVE-2022-41040. This can be found here.
The main Microsoft Article has also been updated , and we recommend customers with On-Premise Microsoft Exchange follow that also.
WithSecure Software Updater, part of WithSecure Elements Endpoint Protection, WithSecure Server Security Premium and WithSecure Email and Server Security Premium, will also be able to patch Microsoft Exchange, once Microsoft release patches for it.
What is the problem with On-Premise Microsoft Exchange
On September 29th, 2022, Microsoft announced that they are investigating some previously unknown vulnerabilities (CVE-2022-41040, CVE-2022-41082) on the on-premise versions of their Microsoft Exchange product.
WithSecure immediately started investigating what we can do to help our customers detect these vulnerabilities, and we will continue to update this article as our investigations continue. We strongly recommend that readers bookmark this article and refer back periodically for updates.
Additionally, we recommend that customers using on-premise Microsoft Exchange implement the mitigations as described in the Microsoft article.
NOTE: Microsoft Exchange Online has already had mitigations enabled. Organizations using a hybrid solution of Microsoft Exchange Online together with an on-premise Microsoft Exchange should still apply the mitigations to their on-premise Exchange.
WithSecure Threat Intel Commentary (30th September AM)
Reports of a zero-day vulnerability being actively exploited in Microsoft Exchange arose in the evening of 29th September where honeypots detected an exploit string similar to that of the ProxyShell vulnerability which arose in 2021. Pre-triage commentary from Microsoft recommended the same mitigation to that of ProxyShell, however two new CVE-IDs have since been issued which makes it almost certain that ProxyShell patches do not fix the issue(s).
The two vulnerabilities reported require authentication to 1.) enable Server-Side Request Forgery (CVE-2022-41040) which can be leveraged to 2.) Trigger Remote Code Execution (CVE-2022-41802) where PowerShell is accessible. These new vulnerabilities are present in on-premise Microsoft exchange servers with outlook web access (OWA) enabled. A Shodan query of --http.component:"outlook web app" ssl:[org]-- can be used to determine whether you may have external exposure.
The vulnerability is being actively exploited in the wild with Shells being initialised, and Microsoft reporting instances of 'Chopper' high-severity malware being dropped. 'Chopper' malware was also observed in the 2021 ProxyShell exploitation and is thought to be operated by Intrusion Sets with a Chinese nexus.
At the time of writing, observed Attacker IP addresses do not yet yield actionable intelligence as they appear to resolve to privacy services (TOR/VPS), however WithSecure will continue to monitor reporting from honeypot services. It is expected that exploitation attempts will increase in the coming weeks as the vulnerabilities (and, exploit strings) have been documented to such an extent, that lower capability threat actors will almost certainly be able to replicate the attacks. Patching of Microsoft Exchange (once a patch is available) can also be difficult and take time to complete.
The fact that the exploitation preconditions require a user to be authenticated is unlikely to deter ransomware actors as credential stealing has long been a common vector. ProxyShell vulnerabilities were/are a popular attack vector for many Initial Access Brokers, and it is almost certain they will have an interest into these newly reported ones also.
What WithSecure can do to help customers
Our various solutions can help mitigate and detect issues with the Microsoft Exchange.
WithSecure Elements Endpoint Detection and Response and WithSecure Countercept Managed Detection and Response detect post-exploit activity, and it will generate detections which the Security Administrator can act on.
EDR detections to look at:
- New child for server process
- Exchange http unseen connection
- IIS Exchange worker abnormal child
- Exec from perflogs
- Webserver launching shell
Use Event Search with following queries:
"Process CMDL" contains
:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\*.aspx
:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\*.ashx
:\\Perflogs\\*.dll
:\\Perflogs\\*.exe
“Process Path” equals
%systemroot%\\Perflogs
WithSecure Endpoint Protection solutions can also detect activity related to this:
EPP detections to monitor:
- Exploit.EXP/Trojan.WebShell.Gen
- Malware.HTML/ExpKit.Gen2
- Backdoor:ASPX/Genshell.A
- Trojan.TR/Webshell.*
- TR/Webshell.*
- Exploit:W32/W3WPLaunch.A!Deepguard
WithSecure Software Updater, part of WithSecure Elements Server Security, WithSecure Server Security Premium, and WithSecure Email and Server Security Premium will be able to apply patches to Microsoft Exchange once Microsoft release any.
Elements Vulnerability Management provides a non-intrusive, active check to verify whether the vulnerability exists in any of Exchange Server OWA instance. Verification is done by sending a HTTP GET request towards the scanned target, as a part of network-based vulnerability scan (SystemScan). It is not necessary to provide credentials. The vulnerability check plugin ID is 1082373 and can be found also under “Microsoft Exchange Server Remote Code Execution Vulnerability” name or using related CVE in a filter.
Related links (external)