High-level Microsoft Exchange 0-day attack threatens 220,000 servers

Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 others around the world.

The currently unpatched vulnerabilities have been actively exploited since early August, when Vietnam-based security firm GTSC discovered that customer networks were infected with malicious webshells and that the first entry point was some kind of Exchange vulnerability. The mysterious exploit looked almost identical to a 2021 Exchange zero-day called ProxyShell, but customers’ servers had all been patched against the vulnerability tracked as CVE-2021-34473. Eventually, the researchers discovered that the unknown hackers were exploiting a new vulnerability in Exchange.

Webshells, backdoors and fake websites

“After successfully mastering the exploit, we recorded attacks to gather information and gain a foothold in the victim’s system,” the researchers wrote in a post published Wednesday. “The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system.”

On Thursday evening, Microsoft confirmed that the vulnerabilities were new and said they were working to develop and release a patch. The new vulnerabilities are: CVE-2022-41040, a server-side request forging vulnerability, and CVE-2022-41082, which allows remote code execution when PowerShell is exposed to the attacker.

“Currently, Microsoft is aware of limited targeted attacks that use the two vulnerabilities to compromise users’ systems,” wrote members of the Microsoft Security Response Center team. “In these attacks, CVE-2022-41040 could allow an authenticated attacker to remotely trigger CVE-2022-41082.” Team members emphasized that successful attacks require valid credentials for at least one email user on the server.

The vulnerability affects on-premises Exchange servers and not strictly speaking the Exchange service hosted by Microsoft. The big caveat is that many organizations using Microsoft’s cloud offering will choose an option that uses a mix of on-premises and cloud hardware. These hybrid environments are just as vulnerable as standalone on-premises environments.

Searches on Shodan show that there are currently more than 200,000 on-premises Exchange servers exposed to the internet and more than 1,000 hybrid configurations.

Wednesday’s GTSC post said the attackers are exploiting zero-day to infect servers running webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading researchers to suspect that the hackers are fluent in Chinese. Commands issued also bear the signature of China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be supported by the People’s Republic of China.

GTSC went on to say that the malware the attackers eventually install emulates Microsoft’s Exchange Web Service. It also connects to IP address 137[.]184[.]67[.]33 which is hard coded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with just a single user with a one-minute login time and has only been active since August.

The malware then sends and receives data encrypted with a runtime-generated RC4 encryption key. Beaumont went on to say that the backdoor malware appears to be new, meaning this is the first time it has been used in the wild.

People running on-premises Exchange servers should take immediate action. In particular, they should apply a blocking rule that prevents servers from accepting known attack patterns. The rule can be applied by going to “IIS Manager -> Default Web Site -> URL Rewrite -> Actions”. For now, Microsoft also recommends blocking HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082.

Microsoft’s advisory has a number of other suggestions for detecting infections and preventing exploits until a patch is available.