Microsoft confirmed late Thursday the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose serious risk to an estimated 220,000 more worldwide.
The currently unpatched security flaws have been actively exploited since early August, when Vietnam-based security firm GTSC discovered that customer networks were infected with malicious web shells and that the first entry point was some sort of Exchange vulnerability. The mysterious exploit appeared nearly identical to a 2021 Exchange zero-day called ProxyShell, but the customers’ servers were all patched against the vulnerability, which is tracked as CVE-2021-34473. Ultimately, the researchers discovered that the unknown hackers were taking advantage of a new vulnerability in Exchange.
Web shells, backdoors and fake sites
“After we mastered the exploit, we recorded attacks to gather information and gain a foothold in the victim’s system,” the researchers wrote in a message published Wednesday. “The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system.”
On Thursday evening, Microsoft confirmed that the vulnerabilities were new and said it was struggling to develop and release a patch. The new vulnerabilities include: CVE-2022-41040, a server-side request spoofing vulnerability, and CVE-2022-41082, which could allow remote code execution when PowerShell is accessible to the attacker.
“At this point, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” wrote members of the Microsoft Security Response Center team. “In these attacks, CVE-2022-41040 could allow an authenticated attacker to remotely activate CVE-2022-41082.” Team members stressed that successful attacks require valid credentials for at least one email user on the server.
The vulnerability affects on-premises Exchange servers and not strictly Microsoft’s hosted Exchange service. The major caveat is that many organizations leveraging Microsoft’s cloud offerings choose an option that uses a combination of on-premises and cloud hardware. These hybrid environments are just as vulnerable as standalone on-premises environments.
Searches on Shodan indicate that there are currently more than 200,000 on-premises Exchange servers exposed to the Internet and more than 1,000 hybrid configurations.
Wednesday’s GTSC message said the attackers are exploiting the zero-day to infect servers with web shells, a text interface that allows them to issue commands. These web shells contain simplified Chinese characters, leading the researchers to speculate that the hackers are fluent in Chinese. The issued commands also bear the signature of the China Chopper, a web shell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People’s Republic of China.
GTSC went on to say that the malware the threat actors eventually install emulates Microsoft’s Exchange Web Service. It also connects to the IP address 137[.]184[.]67[.]33, which is hard-coded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only one user with one minute to log in and has only been active since August.
The malware then sends and receives data encrypted with an RC4 encryption key generated at runtime. Beaumont went on to say that the backdoor malware appears to be new, meaning this is the first time it has been used in the wild.
People using on-premises Exchange servers should take immediate action. Specifically, they must apply a blocking rule that prevents servers from accepting known attack patterns. The rule can be applied by going to “IIS Manager -> Default Website -> URL Rewrite -> Actions”. For now, Microsoft also recommends blocking HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082.
Microsoft’s advice includes many other suggestions for detecting infections and preventing exploits until a patch is available.