Zero Day Exchange Vulnerabilities / CVE-2022-41040 and CVE-2022-41082

Zero Day Exchange Vulnerabilities 
CVE-2022-41040 and CVE-2022-41082

BACKGROUND
      
Microsoft security researchers announced two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 affecting Microsoft Exchange Server. 
 
The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker.

IMPACT
      
•    Allows an attacker with credentials for a user account on the mail server to gain unauthorized levels of access.    
•    Allows remote code execution that gives attackers the power to make changes to victims’ systems  

SYSTEMS AFFECTED
      
•    Microsoft Exchange Server 2013  
•    Microsoft Exchange server 2016  
•    Microsoft Exchange server 2019  

INDICATORS OF COMPROMISE

•    Webshell: 
•    File Name: pxh4HG1v.ashx 
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
•    File Name: RedirSuiteServiceProxy.aspx 
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
•    File Name: RedirSuiteServiceProxy.aspx 
Hash(SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
•    File Name: Xml.ashx (pxh4HG1v.ashx and Xml.ashx, 2 files have the same contents) 
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\inetpub\wwwroot\aspnet_client\Xml.ashx
•    Filename: errorEE.aspx 
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path:C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx

•    DLL: 
•    File name: Dll.dll

SHA256:
     074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
     45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
     9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
     29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
     c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

•    File name: 180000000.dll 

SHA256: 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

•    IP: 
    125[.]212[.]220[.]48
    5[.]180[.]61[.]17
    47[.]242[.]39[.]92
    61[.]244[.]94[.]85
    86[.]48[.]6[.]69
    86[.]48[.]12[.]64
    94[.]140[.]8[.]48
    94[.]140[.]8[.]113
    103[.]9[.]76[.]208
    103[.]9[.]76[.]211
    104[.]244[.]79[.]6
    112[.]118[.]48[.]186
    122[.]155[.]174[.]188
    125[.]212[.]241[.]134
    185[.]220[.]101[.]182
    194[.]150[.]167[.]88
    212[.]119[.]34[.]11

•    URL:           hxxp://206[.]188[.]196[.]77:8080/themes.aspx

•    C2: 
                        137[.]184[.]67[.]33

RECOMMENDATIONS
     

•   Microsoft Exchange Server customers using Microsoft 365 Defender are advised to follow this checklist: 

1. Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. 
2. Turn on tamper protection features to prevent attackers from stopping security services. 
3. Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 
4. Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet. 
5. Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
6. Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint. 

•   Please refer to Microsoft Security Response Center’s post (https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-report…) for the latest on mitigations for the Exchange product.
•   It is strongly recommended Exchange Server customers disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is available here. (Control remote PowerShell access to Exchange servers | Microsoft Learn : https://learn.microsoft.com/en-us/powershell/exchange/control-remote-po… )