At the end of last week, we started to get indications across the online infosec & cyber community, that not one, but two zero-day flaws were currently being exploited in Microsoft Exchange Server.
Friday morning UK time, we woke to find that two new vulnerabilities had been issued by Microsoft overnight:
GTSC a Vietnamese security firm, were responsible for discovering the vulnerabilities, after their security incident response activities discovered that critical services were under attack, with MS Exchange specifically being targeted. These attacks occurred in August 2022 with GTSC submitting the vulns to the Zero Day Initiative immediately, so they could engage Microsoft and ensure that patches and workarounds could be issued ASAP.
In response Microsoft issued initial guidance for customers on the MSRC blog and although no patches currently exist, numerous workarounds are available.
Additionally, Microsoft posted an article on Friday to their security blog, which provided further guidance on methods for analysing attacks using these vulnerabilities.
Cyber Extraordinaire, Kevin Beaumont (aka @GossiTheDog) dubbed the new 0-days 'ProxyNotShell' kick-starting a thread on his twitter feed, with the information available. The name being based on the flaws similarities to the previous critical zero-day ProxyShell we saw in Exchange approximately 12 months ago.
https://twitter.com/GossiTheDog/status/1575762721353916417
At time of writing the following versions are noted as being impacted by these vulnerabilities:
Contrary to initial reports (where Microsoft stated that customers using Exchange Online were not impacted), hybrid deployments that were part of an on-prem migration to Exchange online are impacted and should be addressed.
Immediately investigate and analyse your on-premises and hybrid Exchange environments to identify impacted services and start measures to protect your business.
Follow Microsoft's defined guidelines for dealing with these vulnerabilities.
Ensure that all security products are up to date with the latest signatures and IOCs to detect presence of these flaws and their exploits (where available). For example Microsoft, Cisco and Trend Micro (to name just a few) have added detection coverage into their security products.
Where you have the capability, perform threat hunting to identify and defend against these threats.
If you are a Palo Alto Cortex XSOAR customer, see the link below, where Unit 42 have made a playbook available to rapidly automate the mitigation process.
We will not outline any of the specific detailed steps required here, but instead, please refer to the numerous useful links that can be found throughout and at the bottom of this article for information.
Please keep up to date with new guidance related to this topic, as this is likely to change as the events unfold.
UPDATE: Please note that there are now multiple reports that certain mitigation's such as the URL rewrite can be trivially bypassed, so should be dismissed as viable workarounds.
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER - gteltsc.vn/blog
ProxyNotShell— the story of the claimed zero days in Microsoft Exchange - Kevin Beaumont
Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 - Microsoft
CVE-2022-41040 - Server-Side Request Forgery (SSRF) vulnerability - Microsoft
CVE-2022-41082 - Remote Code Execution (RCE) Vulnerability - Microsoft
Microsoft warns of actively exploited vulnerabilities in Exchange Server - Cisco Talos
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.