On Thursday, September 29th, Microsoft publicly disclosed two unpatched vulnerabilities impacting on-premises Microsoft Exchange servers that were capable of granting remote access to threat actors. These zero-day vulnerabilities have been identified as CVE-2022-41040, which is a Server-Side Request Forgery (SSRF) vulnerability, and CVE-2022-41082, which allows remote code execution (RCE) when PowerShell is accessible to the attacker.
For the attack to be successful, access to an authenticated account in the environment is required, which limits the target surface. However, if the conditioned access is leveraged, the persistent admission allowed by the remote access could have devastating consequences.
With authenticated access, exploit CVE-2022-41040 allows the attacker to string the two vulnerabilities together in a “chain of compromise,” which can inevitably lead to the threat actor remotely triggering a custom, arbitrary code. This code could result in the deployment of additional malware, backdoors, lateral movement, and other nefarious actions.
Currently, there is no patch to remediate the issue. However, enterprise owners are encouraged to perform the following actions on their IIS Manager:
- Open the IIS Manager.
- Expand the default website.
- Select “Autodiscover.”
- In the Feature View, click “URL Rewrite.”
- In the Actions pane on the right-hand side, click “Add Rules.”
- Select “Request Blocking” and click “OK.”
- Add the following string: .*autodiscover\.json.*\@.*Powershell.*
- Click “OK.”
- Expand the rule, select the rule with the above string, and click “Edit” under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}.
Ensure the following two Remote Powershell Ports are blocked:
- HTTP: 5985
- HTTPS: 5986
Lastly, to validate if Exchange servers have already been compromised, run the following Powershell command to scan IIS logs for the known indicators of compromise:
- Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log”
- Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’
BinaryLab will continue to monitor this situation for developments.
BinaryLab is committed to protecting clients’ sensitive data by proactively addressing security concerns, as well as providing relevant and timely security expertise. For an assessment or more information, contact BinaryLab at 301-337-3131.
About the author
Sergio Orellana is the Chief Cybersecurity Officer of BinaryLab and leads the creation and delivery of enterprise-class cybersecurity and compliance solutions. He is a breach response expert with more than a decade of experience working on large and complex security incidents and investigations.
Learn more about Sergio here.