Active Exploitation of Zero Day Microsoft Exchange Server Vulnerabilities

Microsoft was cautioned about the exploitation in the wild of two zero-day vulnerabilities in Microsoft Exchange Server. It has discussed mitigations prior to the patching of the vulnerabilities.

The two vulnerabilities are being linked together and a Chinese threat actor is exploiting them. The attacks were restricted to date, however, the healthcare and public health industry in the United States may be a target.

Microsoft Exchange Server 2013, 2016, and 2019 are affected by the vulnerabilities. After initial access is gained through the exploitation of CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability, the second vulnerability CVE-2022-41082, a Remote Code Execution vulnerability, is exploited. An attacker can only exploit the second vulnerability if with access to the PowerShell.

Microsoft has affirmed that an unauthenticated attacker cannot exploit the vulnerabilities. The two vulnerabilities need authenticated access (using valid stolen credentials, for example) before an attacker can exploit a vulnerable Microsoft Exchange Server. The first vulnerability has an 8.8 of 10 CVSS severity score, while the second vulnerability has a 6.3 CVSS score. When a threat actor exploits the vulnerabilities, a backdoor can be used for persistent access. The attackers have used the China Chopper web shell to gain persistent access in a few of the attacks, which indicates that a state-sponsored Chinese hacking group is exploiting the vulnerabilities.

Microsoft is immediately making patches for the vulnerabilities and has given mitigations that users of on-premises Microsoft Exchange Servers can implement prior to the release of the patches. Microsoft stated it has implemented detection rules for Microsoft Exchange Online and has set up mitigations to safeguard customers, therefore Exchange Online clients don’t have to do anything to stop vulnerability exploitation.

Clients possessing on-premises Microsoft Exchange Servers or hybrid ones are not secure. Microsft recommends they put a blocking condition to ‘IIS Manager -> Default Web Site -> URL Rewrite -> Actions’ which will prohibit the identified attack patterns, the information of which was included in the Microsoft Security Response Center blog.

Nevertheless, as per the tweet of security researcher Jang (@testanull), the mitigations recommended by Microsoft to prohibit the URL patterns determined from recognized attacks are very precise and could be quickly bypassed. GTSC researchers, who announced the Zero Day Initiative vulnerabilities have affirmed that the recommended mitigations are not enough and won’t stop the exploitation of the vulnerabilities.