Skip to content
Security Operations

Zero Day Exploit for MS Exchange (ProxyNotShell)

By The Devo SciSec Team

September 30, 2022

On Sept. 29, 2022, cybersecurity organization GTSC publicized a report outlining attacks they have seen in the wild targeting as-yet unpatched vulnerabilities in Microsoft Exchange. When successfully exploited, this combination of vulnerabilities results in an authenticated remote code execution (RCE) attack. Until a patch has been issued, Microsoft has posted a security bulletin detailing a workaround.

CVE CVSSv3 Products Affected
CVE-2022-41040 8.8 MS Exchange 2013, 2016, 2019
CVE-2022-41082 8.8 MS Exchange 2013, 2016, 2019

Editor’s note: This blog was posted on September 30, 2022. Devo will continually monitor this situation and make updates to detections on an ongoing basis. Keep checking back here for the latest.

Indicators of Compromise

The bulk of the following IOCs are provided by the GTSC report:

Webshell1:

File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File Name: Xml.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx

Filename: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx

IP1:

125[.]212[.]220[.]48 5[.]180[.]61[.]17 47[.]242[.]39[.]92 61[.]244[.]94[.]85 86[.]48[.]6[.]69 86[.]48[.]12[.]64 94[.]140[.]8[.]48 94[.]140[.]8[.]113 103[.]9[.]76[.]208 103[.]9[.]76[.]211 104[.]244[.]79[.]6 112[.]118[.]48[.]186 122[.]155[.]174[.]188 125[.]212[.]241[.]134 185[.]220[.]101[.]182 194[.]150[.]167[.]88 212[.]119[.]34[.]11

URL1:

hxxp://206[.]188[.]196[.]77:8080/themes.aspx

C21:

    137[.]184[.]67[.]33

User-agent1:

GTSC notes that AntSword was used to interface with dropped web shells, identified by the user-agent string.
Default UA strings for AntSword appear to follow the “antSword/vX.Y” format.

Possible Detections

The Devo SciSec team has provided the following queries customers can use to help detect attack attempts in their organizations:

 

from proxy.all.access where dstIp=206.188.196.77
from firewall.all.traffic where srcIp=137.184.67.33 or dstIp=137.184.67.33
from edr.all.threats where sha256hash="65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5" or sha256hash="b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca" or sha256hash="c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1" or sha256hash="be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257" or sha256hash="074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82" or sha256hash="45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9" or sha256hash="9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0" or sha256hash="29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3" or sha256hash="c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2" or sha256hash="76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e"
from firewall.all.traffic where srcIp=137.184.67.33 or dstIp=137.184.67.33
from edr.all.threats
where sha256hash="65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5" or sha256hash="b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca" or sha256hash="c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1" or sha256hash="be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257" or sha256hash="074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82" or sha256hash="45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9" or sha256hash="9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0" or sha256hash="29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3" or sha256hash="c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2" or sha256hash="76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e"
from web.all.access
where toktains(raw,"/Autodiscover/autodiscover.json")
select method, userAgent, url, raw, str(srcIp) as entity_sourceIp, serverName as entity_servername
group every 5m by method, userAgent, url, srcIp, serverName, statusCode
where `or` (statusCode=302, statusCode=200, statusCode=401)
where `or`(weaktoktains(url, "powershell"), weaktoktains(url, "/mapi/")

More Data. More Clarity. More Confidence.