Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform

On September 29, 2022, active attacks against Microsoft Exchange were reported by Vietnamese cybersecurity company GTSC. The researcher at GTSC reported two critical vulnerabilities (now named "ProxyNotShell") in Microsoft Exchange Server via two advisories issued by Zero Day Initiative: ZDI-CAN-18333 and ZDI-CAN-18802.

The first flaw (CVE-2022-41040) is a Server-Side Request Forgery (SSRF) vulnerability. The second flaw (CVE-2022-41082) allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft mentions that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.

On September 30, 2022, Microsoft released an advisory acknowledging that they are "aware of limited targeted attacks using the two vulnerabilities to get into users' systems."

Threat actors are chaining these two zero-day vulnerabilities to deploy Chinese Chopper web shells on vulnerable Microsoft Exchange Servers for persistence and data theft. Based on the code on these web shells, GTSC suspects that these threat actors are based in China. As a result, CISA has added these vulnerabilities to its list of Known Exploited Vulnerabilities Catalog.

These vulnerabilities affect the following versions of Exchange Server:

• Exchange Server 2013
• Exchange Server 2016
• Exchange Server 2019

Qualys Vulnerability Coverage (QID)

Qualys customers can use the following QID to identify potentially vulnerable assets in their environments.

QID	Title	Release Versions
50122	Microsoft Exchange Server Multiple Vulnerabilities (Zero Day)	VULNSIGS-2.5.596-5 or later and QAGENT-SIGNATURE-SET-2.5.596.5-4 or later

Detect ProxyNotShell Using Qualys VMDR

Here are the steps that your organization can take to rapidly respond to the zero-day threat of ProxyNotShell using Qualys VMDR.

Identify Microsoft Exchange Server Assets

The first step in managing these critical vulnerabilities and reducing risk is identification of your potentially vulnerable assets. Qualys VMDR makes it easy to identify Windows Exchange Server systems.

Use the following Qualys Query Language (QQL) string:

operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)

Qualys CSAM displays inventory of all Microsoft Exchange Server assets

Once the hosts are identified, they can be grouped together with a 'dynamic tag', for example: "ProxyNotShell Exchange Server 0-day". This helps in automatically grouping existing hosts with the zero-days as well as any new Windows Exchange Server that is provisioned in your environment. Tagging makes these grouped assets available for querying, reporting, and management throughout the Qualys Cloud Platform.

Using the VMDR Dashboard, you can track 'Exchange 0-day', impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.

Read the Article (Qualys Customer Portal): ProxyNotShell Exchange Server 0-Day Dashboard | Critical Global View

Exchange Server 0-Day Dashboard in Qualys VMDR

Discover ProxyNotShell Exchange Server Zero-Day Vulnerabilities

Now that hosts running Microsoft Exchange Server are identified, you will want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always up-to-date Qualys KnowledgeBase (KB).

You can see all your impacted hosts for this vulnerability tagged with the 'Exchange Server 0-day' asset tag in the vulnerabilities view by using this QQL query:

VMDR query: vulnerabilities.vulnerability.qid: 50122

Qualys VMDR isolates all Exchange Server assets with the vulnerability QID 50122

QID 50122 is available in signature version VULNSIGS-2.5.596-5 and above. It can be detected using authenticated scanning or the Qualys Cloud Agent manifest version 2.5.596.5-4 and above.

Microsoft Guidance for Risk Mitigation of ProxyNotShell

Microsoft has released Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server [msrc-blog.microsoft.com]. According to the blog post, "Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems." The two vulnerabilities are CVE-2022-41040 and CVE-2022-41082, affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019.

Note: Microsoft Exchange Online is not affected.

An attacker could exploit these vulnerabilities to take control of an affected system.

Remediation/Mitigation of ProxyNotShell

Qualys Patch Management and Qualys Custom Assessment and Remediation (CAR) customers can leverage the scripting capabilities of both products to deploy mitigation actions to their Exchange Servers.

By leveraging Qualys CAR's scripting capabilities or Patch Management's pre-actions capabilities, customers can deploy a PowerShell script to apply the mitigations recommended by Microsoft.

Refer to the Qualys scripting library on GitHub for the mitigation script and execute it via Qualys CAR on required assets.

Detect Malicious Behavior related to ProxyNotShell using Qualys Multi-Vector EDR

Based on the post-exploitation activity from multiple threat actors, Qualys Multi-Vector EDR customers can hunt for the following malicious activities:

1. Detecting usual children of w3wp.exe such as:

• csc.exe
• transcodingservice.exe
• werfault.exe
• powershell
• powershell_ise
• python
• curl.exe

1. Detecting webshell-like files with the following extensions being written on an Exchange Server:

• .ashx
• .aspx
• .asmx
• .asax

Detect Exploitation Attempts related to ProxyNotShell using Qualys Context XDR

Interested Qualys Context XDR customers can contact their Technical Account Managers for the following rules:

1. T1190 - [Akamai WAF] ProxyNotShell RCE Vulnerability Exploitation Detected (CVE-2022-41040/CVE-2022-41082)

1. T1190 - ProxyNotShell RCE Vulnerability Exploitation Detected (CVE-2022-41040/CVE-2022-41082)

1. T1190 - [Trend Micro TippingPoint IPS] ProxyNotShell RCE Vulnerability Exploitation Detected

1. T1190 - ProxyNotShell RCE Vulnerability Exploitation Detected via Firewall (CVE-2022-41040/CVE-2022-41082)

With Qualys Context XDR, customers have the power to write their own detections as well. An example of a generic rule that detects ProxyNotShell attempts is shown below:

Indicators of Compromise (IOCs) for ProxyNotShell

Filenames	SHA256 Hash	Path
Pxh4HG1v.ashx	c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1	%ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\
RedirSuiteServiceProxy.aspx	65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5	%ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\
RedirSuiteServiceProxy.aspx	b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca	%ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\
xml.ashx	c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
errorEE.aspx	be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257	%ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\
Dll.dll	074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
Dll.dll	45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
Dll.dll	9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
Dll.dll	29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
Dll.dll	C8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
180000000.dll	76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

Contributors

• Bharat Jogi, Director, Vulnerability and Threat Research, Qualys
• Mehul Revankar, VP, Product Management & Engineering for VMDR, Qualys
• Mayuresh Dani, Manager, Threat Research, Qualys
• Lavish Jhamb, Solution Architect, Compliance Solutions, Qualys
• Eran Livne, Senior Director, Endpoint Remediation, Qualys
• Mukesh Choudhary, Compliance Research Analyst, Qualys
• Mohd Anas Khan, Compliance Research Analyst, Qualys
• Arun Pratap Singh, Engineer, Threat Research, Qualys
• David Lu, Senior Engineer, Threat Research, Qualys

Public link

Please use the above public link if you want to share this noodl on another website.