Try our Devo Value Calculator
See How Much You Could Save

Request Demo
 

Devo logo

Request Demo
Security Operations

Zero Day Exploit for MS Exchange (ProxyNotShell)

By The Devo SciSec Team

September 30, 2022

On Sept. 29, 2022, cybersecurity organization GTSC publicized a report outlining attacks they have seen in the wild targeting as-yet unpatched vulnerabilities in Microsoft Exchange. When successfully exploited, this combination of vulnerabilities results in an authenticated remote code execution (RCE) attack. Until a patch has been issued, Microsoft has posted a security bulletin detailing a workaround.

CVE CVSSv3 Products Affected
CVE-2022-41040 8.8 MS Exchange 2013, 2016, 2019
CVE-2022-41082 8.8 MS Exchange 2013, 2016, 2019

Editor’s note: This blog was posted on September 30, 2022. Devo will continually monitor this situation and make updates to detections on an ongoing basis. Keep checking back here for the latest.

Indicators of Compromise

The bulk of the following IOCs are provided by the GTSC report:

Webshell1:

File Name: pxh4HG1v.ashx

            Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1

            Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx



    File Name: RedirSuiteServiceProxy.aspx

            Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5

            Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx



    File Name: RedirSuiteServiceProxy.aspx

            Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca

            Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx



    File Name: Xml.ashx

            Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1

            Path: Xml.ashx



    Filename: errorEE.aspx

    SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257

    Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx

IP1:

125[.]212[.]220[.]48 5[.]180[.]61[.]17 47[.]242[.]39[.]92 61[.]244[.]94[.]85 86[.]48[.]6[.]69 86[.]48[.]12[.]64 94[.]140[.]8[.]48 94[.]140[.]8[.]113 103[.]9[.]76[.]208 103[.]9[.]76[.]211 104[.]244[.]79[.]6 112[.]118[.]48[.]186 122[.]155[.]174[.]188 125[.]212[.]241[.]134 185[.]220[.]101[.]182 194[.]150[.]167[.]88 212[.]119[.]34[.]11

URL1:

hxxp://206[.]188[.]196[.]77:8080/themes.aspx

C21:

    137[.]184[.]67[.]33

User-agent1:

GTSC notes that AntSword was used to interface with dropped web shells, identified by the user-agent string.
Default UA strings for AntSword appear to follow the “antSword/vX.Y” format.

Possible Detections

The Devo SciSec team has provided the following queries customers can use to help detect attack attempts in their organizations:

 

from proxy.all.access where dstIp=206.188.196.77
from firewall.all.traffic where srcIp=137.184.67.33 or dstIp=137.184.67.33
from edr.all.threats where sha256hash="65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5" or sha256hash="b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca" or sha256hash="c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1" or sha256hash="be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257" or sha256hash="074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82" or sha256hash="45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9" or sha256hash="9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0" or sha256hash="29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3" or sha256hash="c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2" or sha256hash="76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e"
from firewall.all.traffic where srcIp=137.184.67.33 or dstIp=137.184.67.33
from edr.all.threats

where sha256hash="65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5" or sha256hash="b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca" or sha256hash="c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1" or sha256hash="be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257" or sha256hash="074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82" or sha256hash="45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9" or sha256hash="9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0" or sha256hash="29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3" or sha256hash="c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2" or sha256hash="76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e"
from web.all.access

where toktains(raw,"/Autodiscover/autodiscover.json")

select method, userAgent, url, raw, str(srcIp) as entity_sourceIp, serverName as entity_servername

group every 5m by method, userAgent, url, srcIp, serverName, statusCode

where `or` (statusCode=302, statusCode=200, statusCode=401)

where `or`(weaktoktains(url, "powershell"), weaktoktains(url, "/mapi/")

References

  1. https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
  2. https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html
  3. https://borncity.com/win/2022/09/30/microsofts-empfehlungen-fr-die-exchange-server-0-day-schwachstelle-zdi-can-18333/
  4. https://success.trendmicro.com/dcx/s/solution/000291651?language=en_US
  5. https://www.bleepingcomputer.com/news/security/new-microsoft-exchange-zero-days-actively-exploited-in-attacks/
  6. https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
  7. https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c

Related Posts

Post

CISO Leadership Panel: Tips on Hiring and Keeping SOC Talent

Security Operations

Post

Key Security AI Adoption Trends for 2023

Security Operations

View All Posts

More Data. More Clarity. More Confidence.

Get Started