On September 29, 2022, the GTSC Team issued a warning based on newly uncovered zero-day flaws in Microsoft Exchange Server, which are currently under active exploitation. Due to the resemblance of requests used in the ongoing campaigns with those leveraged in cyber-attacks exploiting ProxyShell vulnerabilities, new Microsoft Exchange zero-days have been called ProxyNotShell. GTSC has instantly reported this critical information about uncovered security bugs to Microsoft via Zero Day Initiative. Further on, these in-the-wild vulnerabilities were identified as CVE-2022-41040 and CVE-2022-41082, with a CVSS score of 8.8. GTSC researchers attribute the malicious activity to Chinese threat actors based on the code page containing web shells and the use of a Chinese open-source website admin tool dubbed AntSword.
The Microsoft Security Response Center (MSRC) issued customer guidance with its latest updates on October 2. MSRC describes vulnerabilities as:
- CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability
- CVE-2022-41082 enables RCE using PowerShell
Timing for setting up the security precautions and detections is critical, based on the report of the Defence Intelligence of Ukraine and the warning of CERT UA on Exchange exploitation as Initial Access as exploitation of public-facing Exchange servers is used by the russian threat actors over the course of the ongoing cyber war against Ukraine and is likely to be targeted against any of Ukraine's Allies.
Below you can find more details on the ProxyNotShell attacks and explore relevant detection content. The strategic goal of adversaries is to gain authenticated access to the Exchange application, triggering both vulnerabilities in an exploit chain resulting in RCE, data exfiltration, and lateral movement to cause an organization-wide impact. In the case of in-the-wild attacks exploiting zero-days, proactive cyber defense plays a major role in the remediation of more severe threats.
Context Behind ProxyNotShell Zero-Day Vulnerabilities
What makes the ongoing attacks more dangerous is that both vulnerabilities can be paired together in an exploit chain to deploy Chinese Chopper web shells allowing adversaries to steal sensitive data and move laterally across the infected environment. To successfully exploit either of the reported zero-days, attackers must gain authenticated access to the compromised application. The CVE-2022-41082 flaw can be triggered in the exploit chain as soon as threat actors obtain authenticated access to Exchange Server and leverage the CVE-2022-41040 flaw.
Tactical Intelligence
Although there are no PoCs currently available in the wild, the attack can be detected using the Initial Access, Execution, Persistence, and Defence Evasion MITRE ATT&CK tactics. Immediate detection and response operations are critical as exploitation of globally used Microsoft Exchange servers is leveraged by the russian attackers with the open threat being already declared targeting Ukraine and Ukrainian Allies.
Strategic Intelligence
Cybersecurity professionals can improve the detection engineering routine and SOC content deployment by leveraging Sigma rules in conjunction with the best Detection-as-Code practices to have their security solutions continuously updated with curated detection rules and hunting queries against the latest exploitable CVEs. You cannot patch a zero-day in 24 hours, still, you can always obtain relevant detection content in less than 24 hours and apply it in a couple of clicks to ensure proactive cyber defense.
CVE-2022-41040 and CVE-2022-41082 aka ProxyNotShell Exploit Detection
SOC Prime's Detection as Code platform curates Sigma rules to detect ProxyNotShell exploitation patterns that can be used across industry-leading SIEM, EDR, and XDR solutions, including Microsoft Sentinel, Google Chronicle Security, Splunk, QRadar, Microsoft Defender for Endpoint, Devo, the Elastic Stack. All detections are available for instant search by the corresponding "ProxyNotShell" tag. Once you deploy the detection content, you will be able to identify potential attack patterns.
Required Logging
- Microsoft Sysmon event ID 1, 11, logging fields (default fields). Fields in use: Image, ParentImage, TargetFilename, CommandLine
- Microsoft Security Audit Log, EventID 4688, 4663 -> CommandLine for 4688; ProcessName, ObjectName, AccessMask for 466
- Webserver - GET requests, Status, URI
For successful deployment, make sure that Event fields are collected and parsed. If not parsed properly, use the Sigmac configs and custom data schema mapping to overcome potential hurdles and hunt on data you already have.
Ensure data retention policies for those events are increased within the recommended period of 90 days.
Other mitigation measures you can take to minimize the risks of CVE-2021-40444 and CVE-2022-41082 exploitation are as follows:
- On-premises Exchange users are recommended to follow a set of URL Rewrite Instructions provided by Microsoft and block compromised Remote PowerShell ports
- Disable remote PowerShell access for non-admin users
Search socprime.com for the latest CVEs, ransomware, or any ATT&CK tag and directly access over 2,000 Sigma rules enriched with relevant cyber threat context - in a matter of seconds and without registration.
