Update 10/6/2022 :
Microsoft has released several updates since their post on the “ProxyNotShell” Exchange vulnerabilities. If you followed their initial mitigation steps, they are not sufficient to block this threat and your Exchange server may remain vulnerable. Security researchers began poking at the initial mitigation recommendations and found ways to bypass their initial detection and blocking rules. Security researcher Will Dormann has been discussing the latest mitigation bypasses, most recently pointing out a fix to the URL Rewrite settings that involves switching the input value. Kevin Beaumont also covered the issue a video posted on Twitter.
That said, Microsoft has their post with new mitigation guidance, which include the following three options:
- The EEMS rule is updated and is automatically applied.
- The previously provided EOMTv2 script has been updated to include the URL Rewrite improvement.
- The URL Rewrite rule instructions have been updated (see above post for more detail).
The Microsoft Security Threat Intelligence team noted an additional tip and recommendation, “Many organizations exclude Exchange directories from antivirus scans for performance reasons. It’s highly recommended to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance and still ensure the highest level of protection. Exclusions can be managed via Group Policy, PowerShell, or systems management tools like System Center Configuration Manager.” Simply put, you should not make AV scan exceptions for your Exchange server as doing so could miss malware an attack like this leaves.
Be sure to implement the updated advice from Microsoft’s post. While they haven’t confirmed this, we expect Microsoft will release a patch for this issue during Microsoft Patch Day next Tuesday.
Original Post
Microsoft has published guidance on new zero-day vulnerabilities affecting all versions of Microsoft Exchange Server released since 2013. The combination of two vulnerabilities allows an attacker to remotely execute code (known as a remote code execution or RCE flaw) on vulnerable versions of Exchange. If an attacker has authenticated access to the server, they can exploit the server-side request forgery (SSRF) vulnerability (CVE-2022-41040) and the RCE flaw (CVE-2022-41082) in combination to run arbitrary code, but only against Exchange servers with PowerShell enabled.
While this attack scenario requires authentication, which limits its severity a bit, threat actors are exploiting it in the wild today, and leveraging it to install malicious webshells and DLLs on vulnerable services. There are no patches for the vulnerabilities yet, but Microsoft claims they are working on fixes in an accelerated timeline.
In the meantime, Microsoft documented mitigation steps to defend against these vulnerabilities. One recommendation involves adding a URL Rewrite Instruction to Exchange which blocks Remote PowerShell ports (HTTP/S 5985/5986). You can find that and other Microsoft mitigation recommendations here. Security researchers have commented that this attack seems very similar in format to the ProxyShell vulnerability in its initial access. If you use Microsoft Exchange Online, Microsoft is monitoring and security their cloud against this exploit.
The Vietnamese-based security company GTSC also reported on these vulnerabilities on September 28th, 2022. They include steps and a detection tool for scanning against IIS log files to detect compromise.
Method 1: Use powershell command: Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200
Method 2: Use the tool developed by GTSC: Based on the exploit signature, we build a tool to search with much shorter time needed than using powershell. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner
We share their post exploitation indicators of compromise (IOCs) at the end of this post.
Do WatchGuard Products Help?
WatchGuard has released an IPS signature for Firebox’s IPS service that will detect the main remote code execution vulnerability this attack exploits. You can find details about it here. Both WatchGuards network and endpoint antimalware products can detect the webshells and malicious DLLs seen in this attack. Finally, you can and should use a Firebox to block the PowerShell ports mentioned above. In general, remote PowerShell access is not something you should expose to all of the Internet.
Post Exploitation IOCs:
Webshell:
File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
File Name: Xml.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx
Filename: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx
DLL:
File name: Dll.dll
SHA256:
074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
File name: 180000000.dll (Dump từ tiến trình Svchost.exe)
SHA256: 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
IP:
125[.]212[.]220[.]48
5[.]180[.]61[.]17
47[.]242[.]39[.]92
61[.]244[.]94[.]85
86[.]48[.]6[.]69
86[.]48[.]12[.]64
94[.]140[.]8[.]48
94[.]140[.]8[.]113
103[.]9[.]76[.]208
103[.]9[.]76[.]211
104[.]244[.]79[.]6
112[.]118[.]48[.]186
122[.]155[.]174[.]188
125[.]212[.]241[.]134
185[.]220[.]101[.]182
194[.]150[.]167[.]88
212[.]119[.]34[.]11
URL:
hxxp://206[.]188[.]196[.]77:8080/themes.aspx
C2:
137[.]184[.]67[.]33