Warning: actively exploited zero-day vulnerability in Microsoft Exchange

Update 10.10.2022 09:50: update recommendations (another change in URL rewrite rule)

Update 5.10.2022 14:00: update recommendations (small change in URL rewrite rule)

Update 30.09.2022 13:00: attacker must be authenticated

The National Cyber Security Centre SK-CERT warns of actively exploited zero-day vulnerabilities in the Microsoft Exchange Server product.

By exploiting unspecified vulnerabilities, a remote unauthenticated authenticated attacker could execute malicious code, take control of a vulnerable system, and gain unauthorized access to sensitive data. The vulnerabilities are currently being actively exploited by attackers.

Microsoft Exchange Server is one of the most popular mail servers. The impact of vulnerabilities and their exploitation is therefore global in nature.

SK-CERT is distributing to its constituency warning V20220930-01K targeting the vulnerabilities in question.

The vulnerabilities have been given the vulnerability identifiers CVE-2022-41040 and CVE-2022-41082. They are registered with the Zero Day Initiative as ZDI-CAN-18333 (CVSS score 8.8) and ZDI-CAN-18802 (CVSS score 6.3).

Recommendations

There are currently no updates available for the vulnerabilities listed. The National Cyber Security Centre SK-CERT therefore recommends:

• Block attempts to exploit the vulnerability by creating a new IIS server rule via the URL Rewrite Rule module. Apply the rule to all Exchange servers in your infrastructure:
  • Open IIS settings (e.g. via Server Manager).
  • Use the left menu to enter the Autodiscover section
  • Select the URL Rewrite entry/icon. If you do not have the URL rewrite module enabled in IIS,
    • you can install it from the link https://www.iis.net/downloads/microsoft/url-rewrite
    • Follow the instructions here: https://tecadmin.net/enable-url-rewrite-iis/
    • after installation, don’t forget to restart IIS settings so that the new item appears in the menu
  • In the right menu, select Add rule(s)
  • select the rule type “Request Blocking”
  • Edit the conditions. The exact order and field names depend on the IIS version and URL Rewrite:
    • Block by URL Path
    • In the “Check if input string…” field or the “Block requests that…” field, select the “Matches the pattern” option
    • In the Condition Input field, if present, enter “{REQUEST_URI}” (without quotes)
    • In the pattern field, enter the string “.*autodiscover\.json.*\@.*Powershell.*” (without quotes)
    • In the pattern field, enter the string “.*autodiscover\.json.*@.*Powershell.*” (without quotes)
    • In the pattern field, enter the string “(?=.*autodiscover)(?=.*powershell)” (without quotes)
    • In the Using… field, select Regular expressions
  • apply the rules by restarting the web server (Manage web site -> Restart)
• Check if the vulnerabilities in question have been exploited using the PowerShell cmdlet
  • open a PowerShell command prompt with administrator privileges
  • Use the command below to search for IoC compromise indicators within IIS logs. You must replace the “PATH_K_IIS_LOG” part of the command with the actual path on your system, e.g. C:\InetPub\Logs\

Get-ChildItem -Recurse -Path CESTA_K_IIS_LOGOM -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*200’

Get-ChildItem -Recurse -Path CESTA_K_IIS_LOGOM -Filter “*.log” | Select-String -Pattern ‘(powershell|autodiscover\.json).*200’

• Any findings of this string need to be manually verified.
• Monitor devices for non-standard connections or attempted connections. If the configuration allows it, also check historical communications both against the Internet and the private network.
• Check the security of MS Exchange instances, for example using antivirus products
• Change login passwords to accounts (both administrator and regular mail accounts) to be sufficiently strong and unique
• If the same passwords have been used elsewhere, change those passwords as well, using unique passwords that are different for each account

We also recommend that you keep an eye on the manufacturer’s website and update affected systems immediately after security patches are released.

A good practice in network architecture is to run external servers in separate VLANs, separate from other servers and internal infrastructure. If you have such a topology deployed, we also recommend reviewing firewall policies.

If you discover a cybersecurity incident caused by the exploitation of these vulnerabilities, please report it to the incident reporting email address [email protected] or by phone on +421 2 68 69 2915.

Resources:

• https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
• https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
• https://www.bleepingcomputer.com/news/security/new-microsoft-exchange-zero-day-actively-exploited-in-attacks/
• https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
• https://success.trendmicro.com/dcx/s/solution/000291651?language=en_US
• https://www.zerodayinitiative.com/advisories/upcoming/
• https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9
• https://success.trendmicro.com/dcx/s/solution/000291651?language=en_US
• https://www.rapid7.com/blog/post/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/
• https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9

 

« Späť na zoznam