Microsoft confirmed on Thursday evening the existence of two critical vulnerabilities in its Exchange application which have already compromised several servers and pose a serious risk to approximately 220,000 other people worldwide.
The currently unpatched security flaws have been actively exploited since early August, when Vietnamese security firm GTSC discovered that customer networks had been infected with malicious webshells and that the initial entry point was some kind of Exchange vulnerability. The mysterious exploit appeared almost identical to a 2021 zero-day Exchange called ProxyShell, but customer servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, researchers discovered that the unknown hackers were exploiting a new Exchange vulnerability.
Webshells, backdoors and fake sites
“After successfully mastering the exploit, we recorded attacks to gather information and create a foothold in the victim’s system,” the researchers wrote in a paper published Wednesday. “The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system.”
On Thursday night, Microsoft confirmed the vulnerabilities were new and said it was working to develop and release a fix. The new vulnerabilities are: CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, which allows remote code execution when PowerShell is accessible to the attacker.
“At this time, Microsoft is aware of limited targeted attacks using both vulnerabilities to penetrate user systems,” wrote members of the Microsoft Security Response Center team. “In these attacks, CVE-2022-41040 may allow an authenticated attacker to remotely trigger CVE-2022-41082.” Team members pointed out that successful attacks require valid credentials for at least one mail user on the server.
The vulnerability affects on-premises Exchange servers and, strictly speaking, not Microsoft’s hosted Exchange service. The huge caveat is that many organizations using Microsoft’s cloud offering choose an option that uses a combination of on-premises and cloud hardware. These hybrid environments are as vulnerable as on-premise standalone environments.
Research on Shodan indicates that there are currently over 200,000 on-premises Exchange servers exposed to the Internet and over 1,000 hybrid configurations.
Wednesday’s GTSC post said attackers were exploiting day zero to infect servers with webshells, a text-based interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading researchers to assume that the hackers are fluent in Chinese. The commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be supported by the People’s Republic of China.
GTSC went on to say that the malware the hackers ultimately install emulates Microsoft’s Exchange Web Service. It also establishes a connection to IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with a single user with one minute of login time and has only been active since August.
The malware then sends and receives data encrypted with an RC4 encryption key generated during execution. Beaumont went on to say that the backdoor malware appears to be new, meaning it’s the first time it’s been used in the wild.
People running on-premises Exchange servers should take immediate action. Specifically, they should enforce a blocking rule that prevents servers from accepting known attack patterns. The rule can be applied by going to “IIS Manager -> Default Web Site -> URL Rewrite -> Actions”. At this time, Microsoft also recommends blocking HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082.
Microsoft’s advisory contains a host of other suggestions for detecting infections and preventing exploits until a fix is available.