Executive summary
On September 30th, 2022, GTSC, a Vietnamese cybersecurity company, released a warning stating, “while providing SOC service to a customer, GTSC Blueteam detected exploit requests in IIS logs with the same format as ProxyShell vulnerability.” This vulnerability would allow attackers to formulate a specially crafted HTTP request to the on-prem exchange server over port 443, enabling the attacker to execute malicious remote code on the system as the “SYSTEM” user.
Microsoft confirmed both zero-day vulnerabilities late the evening of September 29, 2022 and said they were aware of “limited, targeted attacks using the two vulnerabilities to get into users’ systems.” Tracked as CVE-2022-41040 and CVE-2022-41082, neither vulnerability has a patch as of September 30, but Microsoft indicated it’s working on an accelerated timeline to release fixes.
- CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability.
- CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.
What to look for
WebShells
The report issued by GTSC contained indicators of compromise (IOC) native to webshell creation. Blue Team Alpha would suggest reviewing Exchange Server IIS logs to look for the following IOCs:
| FileName | Path |
| RedirSuiteServiceProxy.aspx | C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth |
| Xml.ashx | C:\inetpub\wwwroot\aspnet_client |
| pxh4HG1v.ashx | C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth |
| DrSDKCaller.exe | C:\root\DrSDKCaller.exe |
| all.exe | C:\Users\Public\all.exe |
| dump.dll | C:\Users\Public\dump.dll |
| ad.exe | C:\Users\Public\ad.exe |
| gpg-error.exe | C:\PerfLogs\gpg-error.exe |
| cm.exe | C:\PerfLogs\cm.exe |
| msado32.tlb | C:\Program Files\Common Files\system\ado\msado32.tlb |
Researchers noted that all.exe and dump.dll are credential dumping tools located on the server. They also noted the attackers are taking steps to cover their tracks and delete certain files which would denote a compromise.
Suspicious activity
- Suspicious Process – Process Spawned by Outlook Web Access
- Suspicious Process – Exchange Server Spawns Process
- Attacker Technique – CertUtil with URLCache Flag
- Webshell – China Chopper Executing Commands
- Suspicious Process – Executable Runs from C:\Perflogs
Recommendations and mitigation
Blue Team Alpha recommends all organizations using an on-prem exchange server to review their exchange server for a potential compromise and apply the temporary workaround provided by Microsoft: see here for details. Blue Team Alpha recommends enterprises to apply this workaround and update as soon as possible. To prevent future zero-days such as this one, Blue Team Alpha recommends a full migration to O365.
Blue Team Alpha is here to help
Blue Team Alpha cybersecurity experts are standing by to assist whomever may be affected by these zero-day vulnerabilities. If you think your company has been compromised, our team can conduct a compromise assessment on your network to find out the answer. Call our emergency hotline if you believe you have been compromised:
612-399-9680
