Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.

While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.

Vulnerability details and ongoing exploitation


Exploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts:

autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com

Successful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, SharPyShell an ASP.NET-based webshell and China Chopper have been deployed on compromised systems consisting of the following artifacts:

  • C:\inetpub\wwwroot\aspnet_client\Xml.ashx
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx



This activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet.

Initial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using cert util, however, these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities.

Coverage


Ways our customers can detect and block this threat are listed below.


Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Cisco Talos is releasing SID 60642 to protect against CVE-2022-41040.

In addition we are releasing SIDs 60637-60641 to protect against malicious activity observed during exploitation of CVE-2022-41082.

The existing SIDs 27966-27968, 28323, 37245, and 42834-42838 provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082.

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

  • Asp.Backdoor.AntSword-9972727-1
  • Asp.Backdoor.Awen-9972728-0
  • Asp.Backdoor.AntSword-9972729-0

IOCs

IOCs for this research can be found in our GitHub repository here

IPs and URLs

125[.]212[.]220[.]48
5[.]180[.]61[.]17
47[.]242[.]39[.]92
61[.]244[.]94[.]85
86[.]48[.]6[.]69
86[.]48[.]12[.]64
94[.]140[.]8[.]48
94[.]140[.]8[.]113
103[.]9[.]76[.]208
103[.]9[.]76[.]211
104[.]244[.]79[.]6
112[.]118[.]48[.]186
122[.]155[.]174[.]188
125[.]212[.]241[.]134
185[.]220[.]101[.]182
194[.]150[.]167[.]88
212[.]119[.]34[.]11
137[.]184[.]67[.]33
206[.]188[.]196[.]77
hxxp://206[.]188[.]196[.]77:8080/themes.aspx