Critical Exchange Remote Code Execution
The attackers are chaining the pair of zero-days to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims’ networks.
“The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,” the researchers said.
GTSC suspects that a Chinese threat group is responsible for the attacks based on the web shells’ code page, a Microsoft character encoding for simplified Chinese.
The user agent used to install the web shells also belongs to Antsword, a Chinese-based open-source website admin tool with web shell management support.
Microsoft hasn’t disclosed any information regarding the two security flaws so far and is yet to assign a CVE ID to track them.
The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.
Temporary mitigation available
Until Microsoft releases security updates to address the two zero-days, by adding a new IIS server rule using the URL Rewrite Rule module will block Powershell from being leveraged for the attack:
- In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
- Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
- Condition input: Choose {REQUEST_URI}
Threat Hunting
Admins who want to check if their Exchange servers have already been compromised using this exploit can run the following PowerShell command to scan IIS log files for indicators of compromise:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
Indicators of Compromise (IOCs)
Webshell:
File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
File Name: Xml.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx
Filename: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx
File name: 180000000.dll (Dump từ tiến trình Svchost.exe)
SHA256: 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
File name: Dll.dll
SHA256:
- 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
- 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
- 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
- 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
- c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
IP:
- 125[.]212[.]220[.]48
- 5[.]180[.]61[.]17
- 47[.]242[.]39[.]92
- 61[.]244[.]94[.]85
- 86[.]48[.]6[.]69
- 86[.]48[.]12[.]64
- 94[.]140[.]8[.]48
- 94[.]140[.]8[.]113
- 103[.]9[.]76[.]208
- 103[.]9[.]76[.]211
- 104[.]244[.]79[.]6
- 112[.]118[.]48[.]186
- 122[.]155[.]174[.]188
- 125[.]212[.]241[.]134
- 185[.]220[.]101[.]182
- 194[.]150[.]167[.]88
- 212[.]119[.]34[.]11
URL:
- hxxp://206[.]188[.]196[.]77:8080/themes.aspx
C2:
- 137[.]184[.]67[.]33
Detailed Mitigations
On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports.
The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.
Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains.
- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}
Impact: There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.
Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.
- HTTP: 5985
- HTTPS: 5986