Microsoft Exchange Server just can't seem to catch a break. Last year, the company warned about widespread attacks on on-premises servers and rushed to detail mitigations and release security updates within weeks. Now, it seems that the software is once again under attack via two 0-day vulnerabilities.
As is usually the case, Exchange Online customers are not affected and don't need to do anything. The vulnerabilities apply to on-premises installations of Exchange Server 2013, 2016, and 2019.
The two vulnerabilities are tagged CVE-2022-41040 and CVE-2022-41082, respectively. The former is a Server-Side Request Forgery (SSRF) vulnerability while the latter enables a malicious actor to carry out remote code execution (RCE) attacks via PowerShell. That said, an attacker would need authenticated access to Exchange Server to leverage either of the two vulnerabilities.
Since there is no patch available yet, Microsoft understandably hasn't gone into the details of the attack chain. That said, it has noted a couple of mitigations which involve adding a blocking rule in URL Rewrite Instructions and blocking ports 5985 (HTTP) and 5986 (HTTPS) which are utilized by Remote PowerShell.
Unfortunately, there are no specific hunting queries available for Microsoft Sentinel and Microsoft Defender for Endpoint can only detect post-exploitation activities, which also includes the detection of the "Chopper" web shell malware that has been spotted in in-the-wild attacks. Microsoft has assured customers that it is working on an "accelerated timeline" for a fix, but has not disclosed a tentative patch release date as of yet. You can find more details about mitigations and detections for the 0-day vulnerabilities here.
3 Comments - Add comment