Microsoft Exchange Vulnerability Advisory | September 2022

Threat actors are exploiting vulnerabilities in Microsoft Exchange Servers. Here's what you need to know.

Updated:  10/4/2022

Background

On September 29th, 2022, security researchers from the cybersecurity company GTSC published a report detailing a possible new flaw in on-premises Microsoft Exchange Servers. The Microsoft Security Response Center acknowledged the vulnerabilities, CVE-2022-41040 & CVE-2022-41082, but confirmed that they require an attacker to be authenticated as an existing email user account to be exploitable. The vulnerabilities can be chained together in order to give an attacker with email credentials full control over the system. While Microsoft only disclose that this impacts on-premise Microsoft Exchange Servers it may affect hybrid servers. Historically, similar exploits against Microsoft Exchange Servers have been used to facilitate further attacks, such as ransomware. While a patch is yet to be released, Microsoft has provided mitigations that should be implemented.


Quick facts: what you need to know now

  • These vulnerabilities are “Zero-Day” because they are previously undiscovered flaws with no patch. 
  • Although an attacker first needs to steal credentials to exploit these vulnerabilities, attackers are starting to exploit them in the wild.
  • This does not impact Microsoft Exchange Online.

Next Steps for All on-premises Microsoft Exchange Customers:

We encourage your organization to take the following steps to mitigate against potential attacks as a security patch has not yet been released: 


  1. Block the Attack
    1. Customers who have Exchange Emergency Mitigation Service (EEMS) enables, Microsoft will enable this automatically for Exchange Server 2016 and Exchange Server 2019.
    2. Users can also run this script and it will do the URL Rewrite mitigation steps for them: https://aka.ms/eomtv2
    3. If you do not have EEMS and the script fails, follow the below guidance. 
      1. Open the IIS Manager.
      2. Expand the Default Web Site.
      3. Select Autodiscover.
      4. In the Feature View, click URL Rewrite. 
      5. In the Actions pane on the right-hand side, click Add Rules.
      6. Select Request Blocking and click OK.
      7. Add String “.*autodiscover\.json.*Powershell.*” (excluding quotes) and click OK.
      8. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*Powershell.*” and click Edit under Conditions.
      9. Change the condition input from {URL} to {REQUEST_URI} 
  2. Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Disable PowerShell access for non-admin users. Guidance on how to do this is listed here
  3. To check if your organization has already been exploited, the following Powershell command can be employed to scan for IIS log files (stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder):
    1. Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200
  4. Review Microsoft’s guidance for additional details. 

Resources

https://krebsonsecurity.com/2022/09/microsoft-two-new-0-day-flaws-in-exchange-server/ 

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

 

If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!