On September 29, 2022, active attacks against Microsoft Exchange were reported by Vietnamese cybersecurity company GTSC. The researcher at GTSC reported two critical vulnerabilities (now named “ProxyNotShell”) in Microsoft Exchange Server via two advisories issued by Zero Day Initiative: ZDI-CAN-18333 and ZDI-CAN-18802.
The first flaw (CVE-2022-41040) is a Server-Side Request Forgery (SSRF) vulnerability. The second flaw (CVE-2022-41082) allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft mentions that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.
On September 30, 2022, Microsoft released an advisory acknowledging that they are “aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.”
Threat actors are chaining these two zero-day vulnerabilities to deploy Chinese Chopper web shells on vulnerable Microsoft Exchange Servers for persistence and data theft. Based on the code on these web shells, GTSC suspects that these threat actors are based in China. As a result, CISA has added these vulnerabilities to its list of Known Exploited Vulnerabilities Catalog.
These vulnerabilities affect the following versions of Exchange Server:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Qualys Vulnerability Coverage (QID)
Qualys customers can use the following QID to identify potentially vulnerable assets in their environments.
QID | Title | Release Versions |
---|---|---|
50122 | Microsoft Exchange Server Multiple Vulnerabilities (Zero Day) | VULNSIGS-2.5.596-5 or later and QAGENT-SIGNATURE-SET-2.5.596.5-4 or later |
Detect ProxyNotShell Using Qualys VMDR
Here are the steps that your organization can take to rapidly respond to the zero-day threat of ProxyNotShell using Qualys VMDR.
Identify Microsoft Exchange Server Assets
The first step in managing these critical vulnerabilities and reducing risk is identification of your potentially vulnerable assets. Qualys VMDR makes it easy to identify Windows Exchange Server systems.
Use the following Qualys Query Language (QQL) string:
operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)
Once the hosts are identified, they can be grouped together with a ‘dynamic tag’, for example: “ProxyNotShell Exchange Server 0-day”. This helps in automatically grouping existing hosts with the zero-days as well as any new Windows Exchange Server that is provisioned in your environment. Tagging makes these grouped assets available for querying, reporting, and management throughout the Qualys Cloud Platform.
Using the VMDR Dashboard, you can track ‘Exchange 0-day’, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.
Read the Article (Qualys Customer Portal): ProxyNotShell Exchange Server 0-Day Dashboard | Critical Global View
Discover ProxyNotShell Exchange Server Zero-Day Vulnerabilities
Now that hosts running Microsoft Exchange Server are identified, you will want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always up-to-date Qualys KnowledgeBase (KB).
You can see all your impacted hosts for this vulnerability tagged with the ‘Exchange Server 0-day’ asset tag in the vulnerabilities view by using this QQL query:
VMDR query: vulnerabilities.vulnerability.qid: 50122
QID 50122 is available in signature version VULNSIGS-2.5.596-5 and above. It can be detected using authenticated scanning or the Qualys Cloud Agent manifest version 2.5.596.5-4 and above.
Microsoft Guidance for Risk Mitigation of ProxyNotShell
Microsoft has released Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server [msrc-blog.microsoft.com]. According to the blog post, “Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.” The two vulnerabilities are CVE-2022-41040 and CVE-2022-41082, affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019.
Note: Microsoft Exchange Online is not affected.
An attacker could exploit these vulnerabilities to take control of an affected system.
Remediation/Mitigation of ProxyNotShell
Qualys Patch Management and Qualys Custom Assessment and Remediation (CAR) customers can leverage the scripting capabilities of both products to deploy mitigation actions to their Exchange Servers.
By leveraging Qualys CAR’s scripting capabilities or Patch Management’s pre-actions capabilities, customers can deploy a PowerShell script to apply the mitigations recommended by Microsoft.
Refer to the Qualys scripting library on GitHub for the mitigation script and execute it via Qualys CAR on required assets.
Detect Malicious Behavior related to ProxyNotShell using Qualys Multi-Vector EDR
Based on the post-exploitation activity from multiple threat actors, Qualys Multi-Vector EDR customers can hunt for the following malicious activities:
- Detecting usual children of w3wp.exe such as:
- csc.exe
- transcodingservice.exe
- werfault.exe
- powershell
- powershell_ise
- python
- curl.exe
- Detecting webshell-like files with the following extensions being written on an Exchange Server:
- .ashx
- .aspx
- .asmx
- .asax
Detect Exploitation Attempts related to ProxyNotShell using Qualys Context XDR
Interested Qualys Context XDR customers can contact their Technical Account Managers for the following rules:
- T1190 – [Akamai WAF] ProxyNotShell RCE Vulnerability Exploitation Detected (CVE-2022-41040/CVE-2022-41082)
- T1190 – ProxyNotShell RCE Vulnerability Exploitation Detected (CVE-2022-41040/CVE-2022-41082)
- T1190 – [Trend Micro TippingPoint IPS] ProxyNotShell RCE Vulnerability Exploitation Detected
- T1190 – ProxyNotShell RCE Vulnerability Exploitation Detected via Firewall (CVE-2022-41040/CVE-2022-41082)
With Qualys Context XDR, customers have the power to write their own detections as well. An example of a generic rule that detects ProxyNotShell attempts is shown below:
Indicators of Compromise (IOCs) for ProxyNotShell
Filenames | SHA256 Hash | Path |
---|---|---|
Pxh4HG1v.ashx | c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 | %ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\ |
RedirSuiteServiceProxy.aspx | 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5 | %ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\ |
RedirSuiteServiceProxy.aspx | b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca | %ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\ |
xml.ashx | c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 | |
errorEE.aspx | be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257 | %ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\ |
Dll.dll | 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 | |
Dll.dll | 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 | |
Dll.dll | 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 | |
Dll.dll | 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 | |
Dll.dll | C8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 | |
180000000.dll | 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e |
Contributors
- Bharat Jogi, Director, Vulnerability and Threat Research, Qualys
- Mehul Revankar, VP, Product Management & Engineering for VMDR, Qualys
- Mayuresh Dani, Manager, Threat Research, Qualys
- Lavish Jhamb, Solution Architect, Compliance Solutions, Qualys
- Eran Livne, Senior Director, Endpoint Remediation, Qualys
- Mukesh Choudhary, Compliance Research Analyst, Qualys
- Mohd Anas Khan, Compliance Research Analyst, Qualys
- Arun Pratap Singh, Engineer, Threat Research, Qualys
- David Lu, Senior Engineer, Threat Research, Qualys