Microsoft mitigation for new Exchange Server zero-day exploits can be bypassed

Attackers are currently exploiting two unpatched vulnerabilities to remotely compromise on-premises Microsoft Exchange servers. Microsoft confirmed the flaws late last week and published mitigation advice until a complete patch can be developed, but according to reports, the proposed mitigation can be easily bypassed.

The new vulnerabilities were discovered in early August by a Vietnamese security company called GTSC while performing security monitoring and incident response for a customer whose servers were attacked. Initially, the GTSC researchers thought they might be dealing with a ProxyShell exploit based on the malicious requests seen in the server logs which looked similar. ProxyShell is an attack that chains three Exchange vulnerabilities and was patched last year.

However, the incident response team quickly realized that the compromised Exchange servers where attackers had obtained remote code execution capabilities were fully up to date, which meant this couldn’t be ProxyShell. After reverse engineering confirmed they were dealing with previously unknown vulnerabilities, they submitted a report to Trend Micro’s Zero Day Initiative (ZDI) program whose analysts confirmed them and shared them with Microsoft.

The new attack exploits two vulnerabilities

The new attack chain exploits two new flaws that Microsoft now tracks as CVE-2022-41040 and CVE-2022-41082. The first one is a server-side request forgery (SSRF) issue that enables an authenticated attacker to trigger the second vulnerability. This in turn allows remote code execution via PowerShell. The flaws affect Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019, while Microsoft Exchange Online already has detections and mitigations in place. “It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability,” Microsoft said in its advisory.

In the attacks seen by GTSC across multiple customers, the attackers used the exploit to deploy web shells – backdoor scripts – masquerading as legitimate Exchange files such as RedirSuiteServiceProxy.aspx. They then proceeded to deploy credential dumping malware to steal credentials from the compromised servers. Based on the choice of web shells and other artifacts left behind, the researchers suspect the attackers are Chinese.

According to a separate report by Cisco Talos, the attackers used Antsword, a popular Chinese language-based open-source web shell; SharPyShell, an ASP.NET-based web shell; and China Chopper. They also abuse certutil, a legitimate utility, to download and deploy implants.

Microsoft’s mitigation for the Exchange Server zero-days can be bypassed

Microsoft’s proposed mitigation is to block the known attack patterns by using the URL Rewrite engine available under “IIS Manager -> Default Web Site -> URL Rewrite -> Actions”. The company provided a blocking rule and wrote a PowerShell script to automate the deployment.

However, a Vietnamese security researcher with the Twitter handle Janggggg pointed out on Monday that the blocking rule can easily be bypassed. This was confirmed by other security researchers, including former CERT/CC analyst Will Dormann, who wrote:

“The ‘@’ in the Microsoft-recommended “.*autodiscover.json.*@.*Powershell.*” URL block mitigations for CVE-2022-41040 CVE-2022-41082 seems unnecessarily precise, and therefore insufficient. Probably try “.*autodiscover.json.*Powershell.*” instead.”

In addition to this blocking rule, Microsoft also strongly recommends organizations disable remote PowerShell access for non-admin users because without attackers having the ability to reach PowerShell from a compromised account this attack would be ineffective. That still leaves admin users vulnerable, but if an admin user is compromised the attackers already have a lot of power.

Microsoft provides instructions on how to disable remote PowerShell access for users in a separate article as well as detection and threat hunting guidance for the currently observed attacks. The GTSC and Talos reports also contain indicators of compromise.