State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations

Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally.

“These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,” the Microsoft Threat Intelligence Center (MSTIC) said in a Friday report.

The weaponization of the vulnerabilities is expected to ramp up in the coming days, Microsoft further warned, as malicious actors co-opt the exploits into their toolkits, including deploying ransomware, due to the “highly privileged access Exchange systems confer onto an attacker.”

The tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding it was already investigating these attacks when the Zero Day Initiative disclosed the flaws to Microsoft Security Response Center (MSRC) earlier this month on September 8-9, 2022.

The two vulnerabilities have been collectively dubbed ProxyNotShell, owing to the fact that “it is the same path and SSRF/RCE pair” as ProxyShell but with authentication, suggesting an incomplete patch.

The issues, which are strung together to achieve remote code execution, are listed below –

  • CVE-2022-41040 – Microsoft Exchange Server Server-Side Request Forgery Vulnerability
  • CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution Vulnerability

“While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user,” Microsoft said. “Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.”

The vulnerabilities were first discovered by Vietnamese cybersecurity company GTSC as part of its incident response efforts for a customer in August 2022. A Chinese threat actor is suspected to be behind the intrusions.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two Microsoft Exchange Server zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by October 21, 2022.

Microsoft said that it’s working on an “accelerated timeline” to release a fix for the shortcomings. It has also published a script for the following URL Rewrite mitigation steps that it said is “successful in breaking current attack chains” –

  • Open IIS Manager
  • Select Default Web Site
  • In the Feature View, click URL Rewrite
  • In the Actions pane on the right-hand side, click Add Rule(s)…
  • Select Request Blocking and click OK
  • Add the string “.*autodiscover.json.*@.*Powershell.*” (excluding quotes)
  • Select Regular Expression under Using
  • Select Abort Request under How to block and then click OK
  • Expand the rule and select the rule with the pattern .*autodiscover.json.*@.*Powershell.* and click Edit under Conditions.
  • Change the Condition input from {URL} to {REQUEST_URI}

As additional prevention measures, the company is urging companies to enforce multi-factor authentication (MFA), disable legacy authentication, and educate users about not accepting unexpected two-factor authentication (2FA) prompts.

“Microsoft Exchange is a juicy target for threat actors to exploit for two primary reasons,” Travis Smith, vice president of malware threat research at Qualys, told The Hacker News.

“First, Exchange […] being directly connected to the internet creates an attack surface which is accessible from anywhere in the world, drastically increasing its risk of being attacked. Secondly, Exchange is a mission critical function — organizations can’t just unplug or turn off email without severely impacting their business in a negative way.”