Microsoft Exchange Server Zero-Day Mitigation Proves Insufficient
In early August 2022, Vietnamese cybersecurity research group GTSC discovered two unpatched zero-day vulnerabilities that remotely compromise on-premises Microsoft Exchange servers. Microsoft confirmed these vulnerabilities were being exploited in a limited and targeted manner.
The Common Vulnerabilities and Exposures Program (CVE) is now tracking these Microsoft vulnerabilities as CVE-2022-41040 and CVE-2022-41082. 41040 is a server-side forgery (SSRF) issue that enables an authenticated threat actor to trigger 41082. SSRFs abuse legitimate server functionality to access or modify resources. In this case, once the initial vulnerability is exploited, the second vulnerability allows for remote code execution via PowerShell. The threat actors can then leverage certutil, a legitimate utility used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and to verify certificates, key pairs, and certificate chains.
Microsoft Exchange Server® versions 2013, 2016, and 2019 are all affected by these vulnerabilities. Microsoft Exchange Online has detections and mitigations established to block this vulnerability.
Impact
In attacks endured by multiple Microsoft customers, the attackers used this exploit to deploy backdoor scripts imitating legitimate Exchange files such as RedirSuiteServiceProxy.aspx, which are available on the Exchange server. Once these backdoor scripts are deployed, credential-stealing malware is spread through the compromised servers. As seen across the broader threat landscape, credential-stealing attacks such as this can lay the groundwork for future attacks, including information stealing and introduction of ransomware.
Researchers hypothesize that the exploit originates from China, given the use of Antsword, a popular Chinese language-based open-source web shell (SharPyShell), and China Chopper.
Microsoft notes that to exploit the vulnerability, authenticated access to the vulnerable Exchange server is necessary. However, with the rise in credential-stealing and social engineering attacks, obtaining authenticated access has become increasingly easy for threat actors.
Mitigation Is Insufficient Protection
Shortly after these vulnerabilities were detected, Microsoft provided proposed mitigation that involves blocking the known attack patterns by using the URL Rewrite engine to deliver the blocking rule, and a PowerShell script to automate the deployment.
However, security researchers quickly determined that the blocking rule can be bypassed easily, given the over-specificity of the rule. If the threat actor tailors its attack to work outside of this precise rule, the compromised system remains still vulnerable.
Microsoft also recommends that organizations disable remote PowerShell access for non-admin users. Ideally, this action would reduce the attack surface if a non-admin account were to be compromised. However, this still leaves systems vulnerable to stolen admin credentials.
CylanceOPTICS Customers Have an Additional Layer of Protection From BlackBerry
While the initial mitigations provided by Microsoft were identified as insufficient, as a general best practice, BlackBerry strongly recommends that customers concerned about these vulnerabilities follow the recommendations provided by the Microsoft Security Response Center.
BlackBerry customers who use CylanceOPTICS®, the BlackBerry® EDR (endpoint detection and response) solution, have an additional layer of protection from these vulnerabilities. BlackBerry Threat Research has authored a CylanceOPTICS rule available to download in MyAccount, the BlackBerry customer portal, with specific instructions outlined in Knowledge Base article KB102471. Once enabled, this rule will help to identify and mitigate the techniques utilized in these zero-day vulnerabilities.