Microsoft Exchange, 200,000 servers at risk of hacking | New mitigations

Apparently Microsoft’s Exchange servers located around the globe are not experiencing one of the best moments, a major hacker attack has been in progress for several days. The goal would be to spread a remotely controlled encrypted backdoor by exploiting two new vulnerabilities. The company is under fire again after the events of last spring, when the Lapsus $ group managed to break into the Redmond company’s computer systems.

This time to suffer the consequences would be over 200,000 servers and the culprits could be Chinese, but there is no officiality in this. In fact, the attackers remain unknown, and the zero-day flaws were first discovered by the Vietnamese security firm GTSC, whose researchers detected malicious webshells on customer networks related to a vulnerability in Exchange software.

Similarities were initially found to the well-known zero-day ProxyShell of 2021 (CVE-2021-34473), but upon further investigation the researchers found that its origin was still unknown. Microsoft later joined the chorus by confirming the GTSC analysis and highlighting two new flaws in the company’s popular mailing platform: CVE-2022-41040, a server-side spoofing vulnerability, and CVE-2022-41082, which allows for remote code execution through PowerShell.

Microsoft has recorded limited activity regarding targeted attacks based on the two zero-day flaws. Attackers are exploiting CVE-2022-41040 to remotely activate CVE-2022-41082, although Redmond assures that a successful intrusion requires valid credentials for at least one email user on the affected server.

As mentioned initially, over 200,000 Exchange servers could be vulnerable to new attacks, along with another thousand in hybrid configurations. The threats would only affect on-premises versions of the Exchange server, while those hosted on Microsoft’s cloud platform should be safe.

The Chinese hypothesis derives from the fact that The webshells found by the GTSC researchers on the compromised servers contain simplified Chinese characterstherefore, the hypothesis has emerged that behind us there are even government-sponsored hackers, but we are obviously firm at the level of hypothesis.

The risk is very high and Microsoft is working diligently to develop a patch that will allow the flaws to be closed as soon as possible, however, pending resolution, there are advice for Exchange customers. The goal is to mitigate any intrusions and to do so we recommend blocking Internet traffic via HTTP port 5985 and HTTPS port 5986. Microsoft finally specifies that Exchange Online customers do not need to take any actionas these attacks do not affect them.

Microsoft has updated mitigations for the latest Exchange zero-day vulnerabilities detected as CVE-2022-41040 and CVE-2022-41082, also referred to as ProxyNotShell. Initial recommendations were insufficient as researchers showed they can be easily bypassed to allow for new attacks that exploit the two bugs. On Tuesday, Microsoft announced that it has updated its alerts with the improved URL rewrite rule, advising Exchange Server customers to review it and adopt one of the mitigation options provided.

Customers with Exchange Emergency Mitigation Service (EEMS) enabled automatically benefit from the URL Rewrite Mitigation update for Exchange Server 2016 and Exchange Server 2019.

The EOMTv2 script (version 22.10.03.1829) now includes the URL rewrite rule improvement. It is automatically updated on machines connected to the Internet and should be run again on any Exchange server without EEMS enabled. The third option is to manually delete the previously created rule and add the improved one by following the instructions below:

• Open IIS Manager
• Select “Default Web Site”
• In Features View, click “Rewrite URL”
• In the Actions pane on the right side, click “Add Rules”
• Select “Request block” and click OK
• Add the string “. * Autodiscover \ .json. * Powershell. *” (Excluding quotation marks).
• Select “Regular Expression in Usage”.
• Select “Cancel Request in How to Block” and then click OK.
• Expand the rule and select the rule with the pattern:. * Autodiscover \ .json. * Powershell. * And click Edit under Conditions.
• Change the “Condition” input from {URL} to {REQUEST_URI}