Skip to content
Search
Close search
Menu
Home News Two new zero-day vulnerabilities found on Microsoft Exchange Server

Affected Systems:

Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019

Description:

Researchers at cybersecurity firm GTSC have discovered two new zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, tracked as CVE-2022-41040, can allow an authenticated attacker to run PowerShell within the context of the system, while the second, CVE-2022-41082, allows for an attacker to execute code remotely. Notably, CVE-2022-41040 must be successfully exploited to trigger CVE-2022-41082; however, the exploit only needs the credentials of a standard user to be successful. Threat actors can often obtain credentials using several attacks, including phishing or data breaches, meaning that this vulnerability may catch the eye of cybercriminal’s already in possession of Microsoft users’ login details.

Microsoft has confirmed that Exchange Server is vulnerable to both of these zero-day exploits and has since released mitigation and detection information for both exploits. However, at time of writing, there is no security update to patch the vulnerabilities. Microsoft has stressed that they are “working on an accelerated timeline to release a fix” in an article outlining mitigations against the vulnerabilities.

A diagram of the stages of attacks seen using the new zero-day vulnerabilities. Source: https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/

GTSC researchers first detected the vulnerability at the start of August 2022, and Microsoft has shared that they have observed attacks on fewer than ten organisations globally; however, attacks may start to increase as the zero-day have been announced publicly.

The attack detected by GTSC involved a malicious HTTP request sent to port 443:

autodiscover/[email protected]/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%[email protected] 

The malicious HTTP request was written in the same format as a ProxyShell exploit; however, it was sent and successfully exploited on an Exchange server on the latest update. The attack was suspected to be from a threat actor based in China.

Post-exploit actions from the threat actor included creating backdoors on the victim’s system, collecting information about the victim’s network, and downloading malicious code onto the victim’s compromised Exchange Server.

Preventions:

Microsoft has stressed that Microsoft Exchange Online customers do not need to take any action, only those running an Exchange server on-premise.

Microsoft has released a script to apply mitigations against the first vulnerability, CVE-2022-41040, which can be found at https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/

Additionally, Microsoft has released some mitigations for customers using Microsoft 365 Defender:

  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the considerable majority of new and unknown variants.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artefacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artefacts detected post-breach.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.

Indication of compromise and detection methods can be found in GTSC’s article on the vulnerabilities here.

Related Links:

https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ – Published 30th September

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ – Published 29th September

https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html – Published 28th September

03.10.22
Threat Intelligence Alerts
Sarah Gardiner
Written by
Sarah Gardiner
Ethical Hacker
,

Related articles