On 29 September, 2022, Microsoft published a blog post detailing the detection and mitigation of new vulnerabilities in MS Exchange servers. This includes CVE-2022-41040 (Server-Side Request Forgery (SSRF)) and CVE-2022-41082 (Remote Code Execution (RCE)). The first vulnerability allows the second to be remotely triggered. The attack involves sending a specific request to the Exchange server. This allows you to gain access in the backend Exchange component and perform Remote Code Execution via PowerShell.
At the time of writing, Microsoft has released a patch for this vulnerability, but methods to get around it were quickly developed. The issue is quite serious. The indicated gaps got CVSS 6.3 and 8.8 and apply to popular and widely used servers.
Microsoft describes detection and mitigation methods in detail, but it is most recommended to simply disable support for remote PowerShell code execution (at least for ordinary users). In our environment, the attack methods were reproduced and defense mechanisms were applied. The SOC L1 team conducted analysis and ThreatHunting using our security systems.
To detect if our system was targeted, it can be checked if the attackers left specific files on the server (this is unlikely, as it has been established that they were deleted after successful attacks). It’s a good idea to analyze the logs and look for queries to the Exchange server containing certain key words. Automatic tools have also been developed that scan our system for signs of attackers. To defend yourself, accordingly set the rule on the URL Rewrite Rule module on the IIS server. All technical details can be found in the source articles below.
Source:
Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
