09/30/2022 | News release | Archived content
On September 29, 2022, active attacks against Microsoft Exchange were reported by Vietnamese cybersecurity company GTSC. The researcher at GTSC reported two critical vulnerabilities (now named "ProxyNotShell") in Microsoft Exchange Server via two advisories issued by Zero Day Initiative: ZDI-CAN-18333 and ZDI-CAN-18802.
The first flaw (CVE-2022-41040) is a Server-Side Request Forgery (SSRF) vulnerability. The second flaw (CVE-2022-41082) allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft mentions that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.
On September 30, 2022, Microsoft released an advisory acknowledging that they are "aware of limited targeted attacks using the two vulnerabilities to get into users' systems."
Threat actors are chaining these two zero-day vulnerabilities to deploy Chinese Chopper web shells on vulnerable Microsoft Exchange Servers for persistence and data theft. Based on the code on these web shells, GTSC suspects that these threat actors are based in China. As a result, CISA has added these vulnerabilities to its list of Known Exploited Vulnerabilities Catalog.
These vulnerabilities affect the following versions of Exchange Server:
Qualys customers can use the following QID to identify potentially vulnerable assets in their environments.
QID | Title | Release Versions |
50122 | Microsoft Exchange Server Multiple Vulnerabilities (Zero Day) | VULNSIGS-2.5.596-5 or later and QAGENT-SIGNATURE-SET-2.5.596.5-4 or later |
Here are the steps that your organization can take to rapidly respond to the zero-day threat of ProxyNotShell using Qualys VMDR.
The first step in managing these critical vulnerabilities and reducing risk is identification of your potentially vulnerable assets. Qualys VMDR makes it easy to identify Windows Exchange Server systems.
Use the following Qualys Query Language (QQL) string:
operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)
Qualys CSAM displays inventory of all Microsoft Exchange Server assetsOnce the hosts are identified, they can be grouped together with a 'dynamic tag', for example: "ProxyNotShell Exchange Server 0-day". This helps in automatically grouping existing hosts with the zero-days as well as any new Windows Exchange Server that is provisioned in your environment. Tagging makes these grouped assets available for querying, reporting, and management throughout the Qualys Cloud Platform.
Using the VMDR Dashboard, you can track 'Exchange 0-day', impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.
Read the Article (Qualys Customer Portal): ProxyNotShell Exchange Server 0-Day Dashboard | Critical Global View
Exchange Server 0-Day Dashboard in Qualys VMDRNow that hosts running Microsoft Exchange Server are identified, you will want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always up-to-date Qualys KnowledgeBase (KB).
You can see all your impacted hosts for this vulnerability tagged with the 'Exchange Server 0-day' asset tag in the vulnerabilities view by using this QQL query:
VMDR query: vulnerabilities.vulnerability.qid: 50122
Qualys VMDR isolates all Exchange Server assets with the vulnerability QID 50122QID 50122 is available in signature version VULNSIGS-2.5.596-5 and above. It can be detected using authenticated scanning or the Qualys Cloud Agent manifest version 2.5.596.5-4 and above.
Microsoft has released Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server [msrc-blog.microsoft.com]. According to the blog post, "Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems." The two vulnerabilities are CVE-2022-41040 and CVE-2022-41082, affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019.
Note: Microsoft Exchange Online is not affected.
An attacker could exploit these vulnerabilities to take control of an affected system.
Qualys Patch Management and Qualys Custom Assessment and Remediation (CAR) customers can leverage the scripting capabilities of both products to deploy mitigation actions to their Exchange Servers.
By leveraging Qualys CAR's scripting capabilities or Patch Management's pre-actions capabilities, customers can deploy a PowerShell script to apply the mitigations recommended by Microsoft.
Refer to the Qualys scripting library on GitHub for the mitigation script and execute it via Qualys CAR on required assets.
Based on the post-exploitation activity from multiple threat actors, Qualys Multi-Vector EDR customers can hunt for the following malicious activities:
Interested Qualys Context XDR customers can contact their Technical Account Managers for the following rules:
With Qualys Context XDR, customers have the power to write their own detections as well. An example of a generic rule that detects ProxyNotShell attempts is shown below:
Filenames | SHA256 Hash | Path |
Pxh4HG1v.ashx | c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 | %ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\ |
RedirSuiteServiceProxy.aspx | 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5 | %ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\ |
RedirSuiteServiceProxy.aspx | b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca | %ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\ |
xml.ashx | c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 | |
errorEE.aspx | be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257 | %ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\ |
Dll.dll | 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 | |
Dll.dll | 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 | |
Dll.dll | 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 | |
Dll.dll | 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 | |
Dll.dll | C8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 | |
180000000.dll | 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e |