Background

Microsoft Exchange Server is a platform for email, calendaring, contacts, scheduling, and collaboration developed by Microsoft. It is used for business purposes and is installed on the Windows Server operating system (OS). Microsoft Exchange Server was designed to allow users to access the messaging platform from mobile devices, desktop computers, and web-based systems. Voice messages are supported by Exchange Server’s telephony capabilities.

One of the major challenges in managing the security of an Exchange server is that it needs to be exposed to the Internet for providing services like Outlook Web Access and email access from outside the corporate network. This elevates the level of risk when the Exchange server becomes vulnerable.

Microsoft revealed on Friday that a single activity group used two recently discovered zero-day vulnerabilities to chain together limited assaults against less than ten worldwide targets in August 2022 to get initial access and compromise Exchange systems. In order to enable hands-on keyboard access, these attacks installed the Chopper web shell, which the attackers utilized to conduct Active Directory reconnaissance and data exfiltration.

Background

Microsoft Exchange Server is a platform for email, calendaring, contacts, scheduling, and collaboration developed by Microsoft. It is used for business purposes and is installed on the Windows Server operating system (OS). Microsoft Exchange Server was designed to allow users to access the messaging platform from mobile devices, desktop computers, and web-based systems. Voice messages are supported by Exchange Server’s telephony capabilities.

One of the major challenges in managing the security of an Exchange server is that it needs to be exposed to the Internet for providing services like Outlook Web Access and email access from outside the corporate network. This elevates the level of risk when the Exchange server becomes vulnerable.

Microsoft revealed on Friday that a single activity group used two recently discovered zero-day vulnerabilities to chain together limited assaults against less than ten worldwide targets in August 2022 to get initial access and compromise Exchange systems. In order to enable hands-on keyboard access, these attacks installed the Chopper web shell, which the attackers utilized to conduct Active Directory reconnaissance and data exfiltration.

Activity Analysis

A Vietnamese security company by the name of GTSC revealed information and IOCs on what they said were two unpatched Microsoft Exchange Server vulnerabilities being utilized in attacks on their customers’ systems as early as August 2022 on Thursday, September 29. The firm claimed that remote code execution is the result of exploitation. Both vulnerabilities seemed to be post-authentication weaknesses based on the information that was made public. The vulnerabilities are being used, according to GTSC, to install web shells on victim systems and set up bases for post-exploitation activities.

Late on September 29, 2022, Microsoft acknowledged both zero-day vulnerabilities and stated that they were aware of “limited, targeted attacks leveraging the two vulnerabilities to compromise customers’ PCs.” Although neither vulnerability, identified as CVE-2022-41040 and CVE-2022-41082, has a remedy as of September 30, Microsoft said they are working on an expedited schedule to issue remedies.

  • CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability.
  • CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.

For the successful exploitation of any vulnerability, an attacker must have authenticated network access. The known attacks resemble the famed ProxyShell exploit chain from last year. Although the two CVEs have been chained together in attacks exploiting these vulnerabilities thus far, it is fully conceivable for either to be exploited independently or in combination with other vulnerabilities. In order to successfully exploit either vulnerability, an attacker must have authorized network access. The reported assaults resemble the famed ProxyShell exploit chain from the previous year. Although the two CVEs have been used in conjunction in attacks thus far, it is fully conceivable for either to be exploited independently or in chains with other vulnerabilities.

Given that the webshell codepage employs simplified Chinese character encoding, GTSC stated that it believes a Chinese threat group may be behind the continuous attacks. The attackers have also employed the China Chopper webshell, a backdoor frequently used by state-sponsored hacking groups in China, in attempts for continuous remote access.

Activity Analysis

A Vietnamese security company by the name of GTSC revealed information and IOCs on what they said were two unpatched Microsoft Exchange Server vulnerabilities being utilized in attacks on their customers’ systems as early as August 2022 on Thursday, September 29. The firm claimed that remote code execution is the result of exploitation. Both vulnerabilities seemed to be post-authentication weaknesses based on the information that was made public. The vulnerabilities are being used, according to GTSC, to install web shells on victim systems and set up bases for post-exploitation activities.

Late on September 29, 2022, Microsoft acknowledged both zero-day vulnerabilities and stated that they were aware of “limited, targeted attacks leveraging the two vulnerabilities to compromise customers’ PCs.” Although neither vulnerability, identified as CVE-2022-41040 and CVE-2022-41082, has a remedy as of September 30, Microsoft said they are working on an expedited schedule to issue remedies.

  • CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability.
  • CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.

For the successful exploitation of any vulnerability, an attacker must have authenticated network access. The known attacks resemble the famed ProxyShell exploit chain from last year. Although the two CVEs have been chained together in attacks exploiting these vulnerabilities thus far, it is fully conceivable for either to be exploited independently or in combination with other vulnerabilities. In order to successfully exploit either vulnerability, an attacker must have authorized network access. The reported assaults resemble the famed ProxyShell exploit chain from the previous year. Although the two CVEs have been used in conjunction in attacks thus far, it is fully conceivable for either to be exploited independently or in chains with other vulnerabilities.

Given that the webshell codepage employs simplified Chinese character encoding, GTSC stated that it believes a Chinese threat group may be behind the continuous attacks. The attackers have also employed the China Chopper webshell, a backdoor frequently used by state-sponsored hacking groups in China, in attempts for continuous remote access.

Detection

In order to assist enterprises in determining whether their Exchange Servers have yet been compromised by this flaw, GTSC has released instructions to check IIS log files.

When this vulnerability is exploited, IIS logs on Exchange server generates logs with the pattern ‘powershell.*autodiscover\.json.*\@.*200’. Searching for this pattern in the log will reveal if the exchange server is exploited.

Following command can be used to detect the exploit from Powershell on Exchange server:

Get-ChildItem -Recurse -Path -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’

Microsoft Defender for Endpoint detects post-exploitation activity. The following alerts can be related to this threat:

  • Possible web shell installation
  • Possible IIS web shell
  • Suspicious Exchange Process Execution
  • Possible exploitation of Exchange Server vulnerabilities
  • Suspicious processes indicative of a web shell
  • Possible IIS compromise

Customers who have Microsoft Defender Antivirus installed can additionally utilize the following alerts to identify web shell malware that is currently being exploited to exploit this vulnerability in the wild:

  • ‘Chopper’ malware was detected on an IIS Web server
  • ‘Chopper’ high-severity malware was detected

To search for suspicious files in the Exchange folders, use the following query:

DeviceFileEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == “w3wp.exe”
| where FolderPath has “FrontEnd\\HttpProxy\\”
| where InitiatingProcessCommandLine contains “MSExchange”
| project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp.

Detection

In order to assist enterprises in determining whether their Exchange Servers have yet been compromised by this flaw, GTSC has released instructions to check IIS log files.

When this vulnerability is exploited, IIS logs on Exchange server generates logs with the pattern ‘powershell.*autodiscover\.json.*\@.*200’. Searching for this pattern in the log will reveal if the exchange server is exploited.

Following command can be used to detect the exploit from Powershell on Exchange server:

Get-ChildItem -Recurse -Path -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’

Microsoft Defender for Endpoint detects post-exploitation activity. The following alerts can be related to this threat:

  • Possible web shell installation
  • Possible IIS web shell
  • Suspicious Exchange Process Execution
  • Possible exploitation of Exchange Server vulnerabilities
  • Suspicious processes indicative of a web shell
  • Possible IIS compromise

Customers who have Microsoft Defender Antivirus installed can additionally utilize the following alerts to identify web shell malware that is currently being exploited to exploit this vulnerability in the wild:

  • ‘Chopper’ malware was detected on an IIS Web server
  • ‘Chopper’ high-severity malware was detected

To search for suspicious files in the Exchange folders, use the following query:

DeviceFileEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == “w3wp.exe”
| where FolderPath has “FrontEnd\\HttpProxy\\”
| where InitiatingProcessCommandLine contains “MSExchange”
| project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp.

Mitigation

Microsoft has published a script for the following URL Rewrite mitigation steps that it said are “successful in breaking current attack chains” –

  • Open IIS Manager
    Select Default Web Site
  • In the Feature View, click URL Rewrite
  • In the Actions pane on the right-hand side, click Add Rule(s)…
  • Select Request Blocking and click OK
    Add the string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes)
  • Select Regular Expression under Using
  • Select Abort Request under How to block and then click OK
  • Expand the rule and select the rule with the pattern .*autodiscover\.json.*\@.*Powershell.* and click Edit under Conditions.
  • Change the Condition input from {URL} to {REQUEST_URI}

Further Recommendations

  • Make sure that All logs from exchange servers like, Audit logs, IIS logs, Application logs and mail flow logs are Integrated to SIEM solution and are monitored
  • IIS Query patterns and parametered are monitored for anomalies and novelties.
  • Deploy the exchange server behind an active Web application firewall.
  • Make sure that any traffic from Threat IPs are blocked in the perimeter even before it reaches the exchange server.
Mitigation

Microsoft has published a script for the following URL Rewrite mitigation steps that it said are “successful in breaking current attack chains” –

  • Open IIS Manager
    Select Default Web Site
  • In the Feature View, click URL Rewrite
  • In the Actions pane on the right-hand side, click Add Rule(s)…
  • Select Request Blocking and click OK
  • Add the string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes)
  • Select Regular Expression under Using
  • Select Abort Request under How to block and then click OK
  • Expand the rule and select the rule with the pattern .*autodiscover\.json.*\@.*Powershell.* and click Edit under Conditions.
  • Change the Condition input from {URL} to {REQUEST_URI}
Further Recommendations
  • Make sure that All logs from exchange servers like, Audit logs, IIS logs, Application logs and mail flow logs are Integrated to SIEM solution and are monitored
  • IIS Query patterns and parametered are monitored for anomalies and novelties.
  • Deploy the exchange server behind an active Web application firewall.
  • Make sure that any traffic from Threat IPs are blocked in the perimeter even before it reaches the exchange server.

See also:

Advisory: A Practical Approach to Implementing Saudi Central Bank Cybersecurity Framework

September 23, 2022