If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680
If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680

ProxyNotShell Advisory – Microsoft Exchange Zero-day Vulnerabilities

blog photos (23)

Executive summary

On September 30th, 2022, GTSC, a Vietnamese cybersecurity company, released a warning stating, “while providing SOC service to a customer, GTSC Blueteam detected exploit requests in IIS logs with the same format as ProxyShell vulnerability.” This vulnerability would allow attackers to formulate a specially crafted HTTP request to the on-prem exchange server over port 443, enabling the attacker to execute malicious remote code on the system as the “SYSTEM” user.

Microsoft confirmed both zero-day vulnerabilities late the evening of September 29, 2022 and said they were aware of “limited, targeted attacks using the two vulnerabilities to get into users’ systems.” Tracked as CVE-2022-41040 and CVE-2022-41082, neither vulnerability has a patch as of September 30, but Microsoft indicated it’s working on an accelerated timeline to release fixes.

  • CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability.
  • CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.

What to look for

WebShells

The report issued by GTSC contained indicators of compromise (IOC) native to webshell creation. Blue Team Alpha would suggest reviewing Exchange Server IIS logs to look for the following IOCs:

FileNamePath
RedirSuiteServiceProxy.aspxC:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
Xml.ashxC:\inetpub\wwwroot\aspnet_client
pxh4HG1v.ashxC:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
DrSDKCaller.exeC:\root\DrSDKCaller.exe
all.exeC:\Users\Public\all.exe
dump.dllC:\Users\Public\dump.dll
ad.exeC:\Users\Public\ad.exe
gpg-error.exeC:\PerfLogs\gpg-error.exe
cm.exeC:\PerfLogs\cm.exe
msado32.tlbC:\Program Files\Common Files\system\ado\msado32.tlb

Researchers noted that all.exe and dump.dll are credential dumping tools located on the server. They also noted the attackers are taking steps to cover their tracks and delete certain files which would denote a compromise.

Suspicious activity

  • Suspicious Process – Process Spawned by Outlook Web Access
  • Suspicious Process – Exchange Server Spawns Process
  • Attacker Technique – CertUtil with URLCache Flag
  • Webshell – China Chopper Executing Commands
  • Suspicious Process – Executable Runs from C:\Perflogs

Recommendations and mitigation

Blue Team Alpha recommends all organizations using an on-prem exchange server to review their exchange server for a potential compromise and apply the temporary workaround provided by Microsoft: see here for details. Blue Team Alpha recommends enterprises to apply this workaround and update as soon as possible. To prevent future zero-days such as this one, Blue Team Alpha recommends a full migration to O365.

Blue Team Alpha is here to help

Blue Team Alpha cybersecurity experts are standing by to assist whomever may be affected by these zero-day vulnerabilities. If you think your company has been compromised, our team can conduct a compromise assessment on your network to find out the answer. Call our emergency hotline if you believe you have been compromised:


612-399-9680

Facebook
Twitter
LinkedIn
Pinterest

Related Posts