Microsoft has confirmed that two zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited in the wild and that patches are currently being developed to address the flaws.
The vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019, one of which is a Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2022-41040, and the second, tracked as CVE-2022-41082, is a remote code execution vulnerability that can be exploited if the attacker has access to PowerShell.
Microsoft said the known cases of exploitation of the flaws have so far been limited; however, threat actors have been able to exploit the flaws to gain access to users’ systems. By exploiting the first vulnerability, an attacker is able to remotely trigger the second vulnerability and execute arbitrary code; however, in order to exploit the flaws, an attacker would require authenticated access to a vulnerable Exchange Server, which limits the potential for exploitation.
According to the Vietnam-based cybersecurity company, GTSC, which reported the vulnerabilities through the Zero Day Initiative, the vulnerabilities were first exploited in August by a Chinese threat group to deploy the China Chopper web shell to achieve persistent access and to allow data theft and lateral movement within victims’ networks.
Microsoft said it is working on an accelerated timeline to fix the flaws and has deployed detection mechanisms and mitigations, which will allow action to be taken to protect customers until patches are released; however, Microsoft has shared mitigations that can be implemented by on-premises Microsoft Exchange Server users, which involve applying URL Rewrite Instructions and blocking exposed Remote PowerShell ports.
Microsoft said, “The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.” Details of how to apply the URL Rewrite Instructions are detailed in this blog post.
If Microsoft Exchange admins want to check to see if their servers have already been compromised, GTSC recommends scanning IIS log files for indicators of compromise, using the following PowerShell command:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’