Microsoft has confirmed that two recently reported zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 (temporarily dubbed ProxyNotShell) are being exploited in the wild.

Zero Day Institute has verified and acknowledged the two bugs, whose CVSS scores have been estimated to be around 8.8 and 6.3, but not officially confirmed.

The first vulnerability is CVE-2022-41040: a Server-Side Request Forgery (SSRF) vulnerability.

The second is CVE-2022-41082: allows remote code execution (RCE) when PowerShell is accessible to the attacker.

Active attack campaigns are utilising the Remote Code Execution (RCE) vulnerability. Where it has been exploited, the attacker has been able to perform RCE on the compromised exchange systems.

What we know so far

The zero-day vulnerabilities identified only impact on-premise Microsoft Exchange instances. In order to exploit this vulnerability, the bad actor requires an authenticated user account but elevated privileges are not required.

The zero-days are chained to deploy Chinese Chopper web shells for persistence and data exfiltration. This allows them to move laterally through the victim’s networks. It is suspected that a Chinese threat group are responsible for the ongoing attacks based on the web shell’s code page, where it utilises the Microsoft character encoding for simplified Chinese.

Mitigation

Microsoft has implemented automatic mitigation into Exchange Emergency Mitigation Service (EEMS).

Customers running Exchange Server 2016 or Exchange Server 2019 with the September 2021 CU or later with Emergency Mitigation Service (EEMS) enabled, do not need to take any further action as mitigation is automatically applied.

A mitigation script and instructions for manual mitigation are available from the Microsoft Security Response Center for customers not running Exchange Emergency Mitigation Service (EEMS).

All customers running Exchange Server should monitor the Microsoft Security Response Center for updates on this vulnerability. At the time of writing, Microsoft has not yet released a fix.

Get support

If you are one of our Sentinel Essentials customers, you will have custom threat detection rules implemented within your environment for active detection. In addition, our SOC analysts are proactively threat hunting for any ProxyNotShell Indicators of Compromise (IOCs) on an ongoing basis.

This is an ongoing event and we are continuing to track the developments. If you have any questions or need support, please contact our IT service desk on 01904 562207 or email [email protected].