The attackers are leveraging two widely reported Microsoft vulnerabilities (CVE-2022-41040, CVE-2022-41082) to breach your server.
News of the attacks broke on Wednesday, when researchers with Vietnamese cybersecurity company GTSC released a warning saying that malicious actors were developing proxy shells to bypass new restrictions in Windows 10.
There are two vulnerabilities (CVE-2022-41040, CVE-2022-41082)
Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 is a dangerous bug that allows an attacker to execute a remote code on your server. This bug makes it possible for an attacker to execute arbitrary code on the server and gain full control of the host. Someone with admin privileges and access to PowerShell to exploit this issue.
Microsoft has identified two new vulnerabilities that could be leveraged in attacks to gain remote access to a user’s system. Specifically, CVE-2022-41040 may enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that this authentication is necessary for the exploits to occur.
It hasn’t been publicized yet, but Microsoft has recently discovered several vulnerabilities in their Exchange Server server.
In the latest development of the whole flaw, it’s been recently revealed that Microsoft has not yet released a patch for this known bug with potential to cause serious problems.
Microsoft has put in detection and mitigation measures to protect Exchange Server customers, but it urged admins of on-prem installations of the product to implement mitigations. These include adding blocking rules that prevent known attacks, blocking some ports and restricting exfiltration.
Prevention and detection
ProxyShell was initially thought to be involved in the attack, but further analysis showed that the targeted MS Exchange servers were already up-to-date with patches, so the theory of it being exploited was discarded.
Security researcher Kevin Beaumont points out that the ProxyShell patches released in early 2021 didn’t fix the issue. The patch is equivalent to the one before, but with authentication.
Research done by the GTSC has revealed that a hacker attack on their network occurred in the beginning of August. They say that it was an attempt to gain access to their compromised servers and then “create backdoors on the affected system and perform lateral movements into other systems.”
Webshells are malicious software like viruses, worms, or Trojans that a leaker will deploy against their target. They’re put on websites that unsuspecting visitors may visit to spy without the owner’s knowledge. This usage, known as Webshell harvesting, was recently discovered and revealed by security researchers at siteStrike Labs, who use the user-agent feature to detect it.
GTSC has created a set of indicators of compromise and guidelines for defenders to scan the system log files for evidence of compromise.
Microsoft and Trend Micro both provide investigation queries and explain how to use their products for remediation.
“A quick sweep of the internet suggests a lot of organizations haven’t yet patched for ProxyShell,” Beaumont noted. “However, there are nearly 250,000 vulnerable Exchange servers exposed on the internet.”
As a side note: Microsoft recently asked bug hunters to research on-premises Exchange and SharePoint servers.