On September 30, 2022, Microsoft announced security updates for two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019.

 This article covers how to use the security OSINT tool to find servers with these vulnerabilities and a case study of an exploitable server. Two vulnerabilities have been discovered:  CVE-2022-41082 and CVE-2022-41040. If a user has authenticated access rights to the Exchange Server that they want to attack, they can use both CVEs and launch a Remote Code Execution (RCE) attack on the server.

Outlook login screen of a service that uses an MS Exchange Server with vulnerabilities announced in MS Exchange Zero-day vulnerability
Outlook login screen that uses a Microsoft Exchange Server with vulnerabilities

How Hackers Exploit Microsoft Exchange Zero-day Vulnerabilities

Hackers use the CVE-2022-41040 (CVSSv3 score 8.8) to escalate privileges in a Server-Side Request Forgery (SSRF) attack. Then, they execute a remote code execution (RCE) attack using CVE-2022-41082 (CVSSv3 score 8.8).  After compromising the Exchange Server, Active Directory and data are leaked through installed malicious apps.

Hackers often target exposed and vulnerable Exchange servers. They then send an HTTP requtest ‘autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com’ through which they can bypass Microsoft recommended block rules. Once the server becomes accessible, a vulnerable Exchange backend component allows for RCE conditions.

Exploit process by hackers, used to exploit MS Zero-day vulnerabilities
Exploit process by hackers, used to exploit Microsoft Exchange Zero-day vulnerabilities

Image Source : Microsoft Security, Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

GTSC, a Vietnamese cybersecurity company, confirmed that the SSRF attack using CVE-2022-41040 occurred where an obfuscated web shell (a vulnerability that enables a web server to be remotely accessed) was requested on the Exchange server. This hacker used a user agent and accessed Antsword (an open-source, cross-platform management tool based in China). The web shell showed that hackers used Windows code page 936, a program that used simplified Chinese characters. This leads us to believe that a group of Chinese hackers carried out the attack. Another notable point can be found in the RedirSuiteServiceProxy.aspx file (the regular file available on the Exchange server). The contents of the file changed to code found in the web shell file.

#Server Requested Webshell

<%@Page Language="Jscript"%>

Detect Exploitable Microsoft Exchange Servers Using OSINT Tools

Users can search Exchange servers with Exchange zero-day vulnerabilities using Criminal IP (https://www.criminalip.io). Use the cve_id filter and search for CVE-2022-41082 vulnerabilities. Searching for this vulnerability will yield 91,807 IP addresses hosting vulnerable Exchange servers.

[Criminal IP Search 101 – Is your MS Exchange Server Safe?]

Search Query : cve_id: CVE-2022-41082

Screen for searching CVE-2022-41082 on the security OSINT search engine Criminal IP
Search results shown by searching for MS Exchange Zero-day vulnerability with CVEs
Searching results for CVE-2022-41082, an Exchange zero-day vulnerability, on the Security OSINT tool Criminal IP

 Port statistics show that most IP addresses with Microsoft Exchange zero-day vulnerabilities usually have both 80/443 ports exposed. Other open ports are often variations of %443, such as 8443, 4433, etc.

Results shown for MS Exchange Zero-day vulnerabilities by searching with vulnerable CVEs
Searching results for CVE of Microsoft Exchange zero-day vulnerability on Criminal IP

Furthermore, we can see that some IP addresses are still operating in a vulnerable state with weak certificates.

Server with MS Exchange vulnerability, hosted with a weak certificate
Server with Microsoft Exchange vulnerability, hosted with a weak certificate

Most IP addresses found with Criminal IP shows to have vulnerable ports 80 and 443. The Inbound Score is also deemed critical, and this tags these IP addresses as malicious. As seen below, the IP address intelligence report states that there are a total of 89 vulnerabilities exposed, with issues other than CVE-2022-41082, CVE-2022-41040. Furthermore, this IP address is a Hosting IP, which means that if a hacker increases their authorization through CVE-2022-41040, they can penetrate the internal network and leak further data from the server.

Analysis results shown for IP address of a server with MS Exchange Zero-day vulnerability. A total of 89 vulnerabilities mapped
 Analysis results of the IP address of a server with a Microsoft Exchange zero-day vulnerability, 89 vulnerabilities mapped
Port and vulnerability information for IP address of a server with MS Zero-day vulnerability
 Port and vulnerability information for the IP address of a server with a Microsoft zero-day vulnerability

How Companies and Organizations Address Microsoft Exchange Zero-day Vulnerabilities

Microsoft recommends users to add *autodiscover\.json.*Powershell.* block rules to IIS Manager →  Default Web Site →  URL Rewrite →  Actions in order to block known hacker attack patterns, and recommend disabling remote PowerShell access.

However, as with all zero-day vulnerabilities, it is very difficult to determine how these new vulnerabilities can affect the server. Usually, security personnel in corporations use vulnerability scanners to determine which vulnerability to take action on when these zero-day issues occur. However, it is difficult to scan all servers in operations, and it is also difficult to take quick action when an attack takes place.

Using the Security OSINT tool, you can quickly find vulnerable assets with Microsoft Exchange zero-day vulnerabilities. In addition, it is possible to effectively manage the attack surface by scanning for vulnerabilities, including neglected assets that are not identified internally and ports opened by mistake. Therefore, to quickly check whether there is a Microsoft Exchange zero-day vulnerability threat, search the IP address using Criminal IP, a Security OSINT tool, and check whether CVEs are mapped.

Check out this analysis article about the Zero-day vulnerability exploits found in June 2022 on Atlassian’s Confluence server.

Source : Criminal IP (https://www.criminalip.io)