We are working on an accelerated timeline to release a fix. Until then, we’re providing mitigations and the detection guidance below to help customers protect themselves from these attacks. - reads Microsoft Advisory as published on 29th September 2022.
Microsoft has publicly reported two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.An attacker would need authenticated network access for the successful exploitation of both these vulnerabilities. According to researchers, the attack appears to be a variant of last year's infamous ProxyShell exploit chain.
According to Vietnamese cybersecurity outfit GTSC, who first reported the ongoing attacks, two of the zero-days are chained to deploy Chinese Chopper web shells for persistence and data theft and to move laterally through the victim's networks.
Microsoft states that Microsoft Exchange Online Customers do not need to take any action, while it provided mitigation for on-premises Microsoft Exchange customers.
Check if your Exchange Servers have been compromised by exploiting these flaws,
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200
<Path_IIS_Logs> = Default path is %SystemDrive%\inetpub\logs\LogFiles folder, however, you need to check for your configured path.
Based on the exploit signature, searching in a much shorter time can be achieved by using the tool NCSEE0 Scanner. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner
Below is the step-by-step procedure provided by Microsoft to mitigate the risk of exploitation for the above issues:
.*autodiscover\.json.*\@.*Powershell.* and click OK..*autodiscover\.json.*\@.*Powershell.* and click Edit under Conditions.