{"id":83353,"date":"2022-10-01T01:56:07","date_gmt":"2022-10-01T01:56:07","guid":{"rendered":"https:\/\/harchi90.com\/urgent-microsoft-exchange-double-zero-day-like-proxyshell-only-different-naked-security\/"},"modified":"2022-10-01T01:56:07","modified_gmt":"2022-10-01T01:56:07","slug":"urgent-microsoft-exchange-double-zero-day-like-proxyshell-only-different-naked-security","status":"publish","type":"post","link":"https:\/\/harchi90.com\/urgent-microsoft-exchange-double-zero-day-like-proxyshell-only-different-naked-security\/","title":{"rendered":"URGENT!  Microsoft Exchange double zero-day \u2013 \u201clike ProxyShell, only different\u201d \u2013 Naked Security"},"content":{"rendered":"<div>\n<p>Just when you hoped the week would quieten down and yield you some SecOps downtime over the weekend\u2026<\/p>\n<p>\u2026and along comes a brand new zero-day hole in Microsoft Exchange!<\/p>\n<p>more precisely, <strong>two zero-days <\/strong>that can apparently be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution (RCE) on the Exchange server itself.<\/p>\n<p>Microsoft quickly published official guidance about these vulnerabilities, summarising the situation as follows:<\/p>\n<blockquote>\n<p>Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as <strong>CVE-2022-41040<\/strong>is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as <b>CVE-2022-41082<\/b>allows remote code execution (RCE) when PowerShell is accessible to the attacker.  <\/p>\n<p>At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users&#8217; systems.  In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.  It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.<\/p>\n<\/blockquote>\n<p>As far as we can see, there are two silver linings here:<\/p>\n<ul>\n<li><strong>The bugs can&#8217;t be triggered by just anyone.<\/strong> Sure, any remote user who has already logged into their email account over the internet, and whose computer is infected by malware, could in theory have their account subverted to launch an attack that exploits these bugs.  But just having your Exchange server accessible over the internet is not enough on its own to expose you to attack, because so-called <em>unauthenticated invocation<\/em> of these bugs is not possible.\n<\/li>\n<li><strong>blocking <em>PowerShell Remoting<\/em> life limit attacks.<\/strong> According to Microsoft, blocking TCP ports 5985 and 5986 on your Exchange server will limit (if not actually prevent) attackers from chaining from the first vulnerability to the second.  Although attacks might be possible without relying on triggering PowerShell commands, intrusion reports so far seem to suggest that PowerShell execution was a necessary part of the attack.\n<\/li>\n<\/ul>\n<aside id=\"sophos_ad-3\" class=\"widget sophos-inline-ad sophos_widget_ad\">\n<style><![CDATA[.s-button+.s-button { margin-left: .3125rem; } .s-button { transition: all .15s linear; font-size: .875rem; line-height: 1.5; color: #f2f2f2; font-family: SophosSansMedium, Helvetica Neue, Helvetica, Arial, sans-serif; font-weight: 400; font-style: normal; display: inline-block; padding: .3125rem 1.25rem; cursor: pointer; text-align: center; text-decoration: none; border: 1px solid #005bc8; border-radius: 3px; background-color: #005bc8; text-shadow: none; } .s-button:hover { text-decoration: none; color: #fff; border-color: #002d62; background-color: #002d62; } .s-button--white, .s-button--white:hover { color: #005bc8 !important; border-color: #fff; background-color: #fff; } .s-ad-sophos-mdr { font-size: 1rem; line-height: 1.5; color: #242629; font-family: SophosSansRegular, Helvetica Neue, Helvetica, Arial, sans-serif; font-weight: 400; font-style: normal; position: relative; max-width: 769px; margin: 15px auto; padding: 30px 30px 25px; transition: box-shadow .25s cubic-bezier( .645, .045, .355, 1 ); text-align: center; background-color: #0d141d; background-repeat: no-repeat; background-position: 50%; background-size: cover; box-shadow: 0 0 0 0 0 transparent; background-color: #005bc8; background-image: none; background-position: 0 0; } .s-ad-sophos-mdr__title { font-size: 2rem; line-height: 1.125; margin-bottom: 4px; color: #fff; } .s-ad-sophos-mdr__text { font-family: SophosSansLight, Helvetica Neue, Helvetica, Arial, sans-serif; font-weight: 400; font-style: normal; font-size: 17px; color: #fff; } .s-ad-sophos-mdr__action { margin-top: 15px; } .s-ad-sophos-mdr__action .s-button { color: #fff; } .s-ad-sophos-mdr__link-wrapper { text-decoration: none; } .s-ad-sophos-mdr__link-wrapper:hover .s-ad-sophos-mdr { box-shadow: 0 5px 10px 0 rgba( 0, 0, 0, .15 ); } .s-ad-sophos-mdr__sophos-logo { position: absolute; top: 15px; right: 15px; } .s-ad-sophos-mdr__sophos-logo-svg { display: inline-block; width: 64px; height: 11px; vertical-align: top; background-repeat: no-repeat; background-size: 64px 11px; } .s-ad-sophos-mdr__title { font-family: SophosSansSemibold, Helvetica Neue, Helvetica, Arial, sans-serif; font-weight: 400; font-style: normal; font-size: 28px; font-weight: 700; line-height: 1; margin-bottom: 10px; text-align: left; } .s-ad-sophos-mdr__title svg { max-width: 100%; } .s-ad-sophos-mdr__text { font-size: 16px; line-height: 1.25; text-align: left; } .s-ad-sophos-mdr__action { text-align: right; } .s-ad-sophos-mdr .s-button { border-radius: 20px; } @media (min-width:769px) { .s-ad-sophos-mdr__text { margin-right: 140px; } .s-ad-sophos-mdr__action { position: absolute; right: 30px; bottom: 30px; } } @media (max-width:768px) { .s-ad-sophos-mdr { padding-top: 50px; } .s-ad-sophos-mdr__title { font-size: 1.625rem; } .s-ad-sophos-mdr__text { font-size: 16px; } .s-ad-sophos-mdr { padding-top: 30px; } }]]><\/style>\n<\/aside>\n<h2>Memories of ProxyShell<\/h2>\n<p>If this attack reminds you of the ProxyShell vulnerability from about a year ago, you&#8217;re not alone in thinking that.<\/p>\n<p>To GTSC, the Vietnamese cybersecurity company that first investigated and reported these new holes, according to <em>\u201cdetected exploit requests in IIS logs with the same format as [the] ProxyShell vulnerability\u201d.<\/em><\/p>\n<p>Notably, the sort of threat-hunting query that we recommended for ProxyShell exploit spelunking back in 2021 seems to work for detecting abuse of these new zero-days, too:<\/p>\n<pre class=\"brush: sql; title: ; notranslate\" title=\"\">&#13;\nSELECT grep.*&#13;\nFROM file&#13;\nCROSS JOIN grep ON (grep.path = file.path)&#13;\nWHERE&#13;\nfile.path LIKE 'C:inetpublogsLogFilesW3SVC%u_ex210[89]%'&#13;\nAND grep.pattern = 'autodiscover.json'&#13;\n<\/pre>\n<p style=\"margin-top:2em\">Microsoft, too, notes that <em>\u201c[the detection we] created in response to ProxyShell can be used for queries as there are similarities in function with this threat.\u201d<\/em><\/p>\n<p>Of course, we don&#8217;t yet know whether the new attack can be pulled off without leaving this specific tell-tale sign in your logs.<\/p>\n<p>In other words, if you find trigger signs similar to those left behind by PowerShell exploits, you probably do have evidence of an attack, but absence of these signs is not evidence of absence.<\/p>\n<p>According to GTSC, in attacks they&#8217;ve investigated so far, the cybercriminals used their unauthorized RCE powers to implant and run a variety of follow-on malware, including:<\/p>\n<ul>\n<li><strong>Webshells implanted to open a web-based backdoor for later.<\/strong> Webshells typically allow follow-on attacks to embed arbitrary system commands, with arbitrary command arguments, into regular-looking HTTP requests.  The webshell then directly executes the desired command with the privileges of the web server itself.\n<\/li>\n<li><strong>Credential dumping malware.<\/strong> Credential stealers typically snoop around on disk and in memory (if they have sufficient privilege) looking for plaintext passwords, session cookies and authentication tokens that could allow what&#8217;s known as <em>lateral movement<\/em> to other computers on the network.\n<\/li>\n<li><strong>Zombie malware in the form of DLLs loaded into legitimate-looking processes<\/strong>.  One DLL sample that GTSC researchers analyzed could be remotely fed with encrypted instructions to dump system information, run arbitrary commands, launch C# modules, and modify files and folders on the infected system.\n<\/li>\n<\/ul>\n<p>We will update this article as we learn more, including reporting when Microsoft gets patches out to close these holes.<\/p>\n<h2>Threat hunting advice<\/h2>\n<p>For threat hunting advice from GTSC, who discovered and reported the bugs, from Microsoft, and from Sophos, please see:<\/p>\n<p>\u25b6 https:\/\/gteltsc.vn\/blog\/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html<\/p>\n<p>\u25b6 https:\/\/msrc-blog.microsoft.com\/2022\/09\/29\/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server\/<\/p>\n<p>\u25b6 https:\/\/news.sophos.com\/en-us\/2021\/08\/23\/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do\/<\/p>\n<h2>What to do?<\/h2>\n<p>Mitigations include:<\/p>\n<ul>\n<li><strong>block <em>PowerShell Remoting<\/em> to reduce the risk of RCE.<\/strong> As mentioned above, blocking TCP ports 5985 and 5986 will limit attacks on your Exchange server, according to Microsoft.\n<\/li>\n<li><strong>use a <em>URL Rewrite Rule<\/em> to block known attack triggers.<\/strong> GTSC and Microsoft have explanations of how to use IIS Server URL rewriting rules to detect and neutralise common forms of this attack.\n<\/li>\n<li><strong>Ensure behavioral endpoint threat detection is enabled, even on servers.<\/strong> As mentioned above, GTSC reports that attacks seen so far include the implanting of webshells and malware DLLs to run arbitrary commands, manipulate files, and extract system information.  This gives you numerous potentional detection-and-response indicators to get on top of a successful attack.\n<\/li>\n<li><strong>Consider deauthenticating logged-in email users.<\/strong> If you can perform some sort of endpoint security assessment on each user&#8217;s device before allowing them to reauthenticate, you will reduce (albeit not eliminate) the risk of already-compromised devices being co-opted into launching attacks.  You will also reduce what&#8217;s known as your overall <em>attack surface<\/em> by not having authenticated users hanging around who don&#8217;t need to be logged on, or who don&#8217;t even remember that they ever logged on in the first place.\n<\/li>\n<li><strong>Apply any patches as soon as they are available.<\/strong> So far, only limited attacks have been reported, mostly in South East Asia, and GTSC is deliberately witholding details of the vulnerabilities until patches are out.  But remember that once patches are published, cybercriminals will immediately start working backwards towards working exploits in the hope of catching out those who are tardy at applying updates.\n<\/li>\n<\/ul>\n<p style=\"margin-top:2em\">so far [2022-09-30T13:30Z]it looks as though the most important things to bear in mind are: [a] the tips and techniques you learned for hunting down ProxyShell attacks are almost certainly going to be helpful here, if not the only tools you may need; [b] despite the similarities (and notwithstanding anything you may have seen online), this <em>isn&#8217;t<\/em> ProxyShell, so your ProxyShell patches won&#8217;t protect you from it;  and [c] when patches do arrive, assume that they will be reverse engineered back into working exploits very quickly, so don&#8217;t delay in applying them.<\/p>\n<hr style=\"margin-top:2em\"\/>\n<p style=\"background-color: #0d69ba;padding: 0.5em;text-align: center;color: white;font-size: 90%;margin-top:2em\"><strong>LEARN MORE ABOUT WEBSHELLS AND HOW TO PREVENT THEM<\/strong><\/p>\n<hr style=\"margin-top:2em\"\/>\n\t\t\t<\/div>\n<p>    .<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Just when you hoped the week would quieten down and yield you some SecOps downtime over the weekend\u2026 \u2026and along comes a brand new zero-day hole in Microsoft Exchange! more precisely, two zero-days that can apparently be chained together, with the first bug used remotely to open enough of a hole to trigger the second &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/harchi90.com\/urgent-microsoft-exchange-double-zero-day-like-proxyshell-only-different-naked-security\/\"> <span class=\"screen-reader-text\">URGENT!  Microsoft Exchange double zero-day \u2013 \u201clike ProxyShell, only different\u201d \u2013 Naked Security<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[4],"tags":[27923,27924,27925,1514,4092,4097],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":41216,"url":"https:\/\/harchi90.com\/microsoft-patch-tuesday-august-2022-edition-krebs-on-security\/","url_meta":{"origin":83353,"position":0},"title":"Microsoft Patch Tuesday, August 2022 Edition \u2013 Krebs on Security","date":"August 10, 2022","format":false,"excerpt":"Microsoft today released updates to fix a record 141 security vulnerabilities in its windows operating systems and related software. Once again, Microsoft is patching a zero-day vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows. Redmond also addressed multiple flaws in Exchange Server \u2014 including one\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2022\/07\/winupdatedate.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":87760,"url":"https:\/\/harchi90.com\/proxynotshell-the-new-proxy-hell\/","url_meta":{"origin":83353,"position":1},"title":"ProxyNotShell \u2013 the New Proxy Hell?","date":"October 5, 2022","format":false,"excerpt":"Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers. Based on ProxyShell, this new zero-day abuse risk leverage a\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":83566,"url":"https:\/\/harchi90.com\/high-severity-microsoft-exchange-0-day-under-attack-threats-220000-servers\/","url_meta":{"origin":83353,"position":2},"title":"High-severity Microsoft Exchange 0-day under attack threats 220,000 servers","date":"October 1, 2022","format":false,"excerpt":"Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/09\/congorepat-640x410.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":84424,"url":"https:\/\/harchi90.com\/state-sponsored-hackers-likely-exploited-ms-exchange-0-days-against-10-organizations\/","url_meta":{"origin":83353,"position":3},"title":"State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations","date":"October 2, 2022","format":false,"excerpt":"Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally. \"These attacks installed the Chopper web shell to facilitate hands-on-keyboard\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg\/s1600\/strike-728.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":12955,"url":"https:\/\/harchi90.com\/microsoft-releases-fix-for-zero-day-flaw-in-july-2022-security-patch-rollout\/","url_meta":{"origin":83353,"position":4},"title":"Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout","date":"July 13, 2022","format":false,"excerpt":"Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":14046,"url":"https:\/\/harchi90.com\/microsoft-patch-tuesday-july-2022-edition-krebs-on-security\/","url_meta":{"origin":83353,"position":5},"title":"Microsoft Patch Tuesday, July 2022 Edition \u2013 Krebs on Security","date":"July 14, 2022","format":false,"excerpt":"Microsoft today released updates to fix at least 86 security vulnerabilities in its windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2022\/07\/winupdatedate.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"fifu_image_url":"https:\/\/nakedsecurity.sophos.com\/wp-content\/uploads\/sites\/2\/2022\/09\/exch-1200.png?w=775","_links":{"self":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/83353"}],"collection":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/comments?post=83353"}],"version-history":[{"count":0,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/83353\/revisions"}],"wp:attachment":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/media?parent=83353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/categories?post=83353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/tags?post=83353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}