Zero Day Exploit for MS Exchange (ProxyNotShell)

On Sept. 29, 2022, cybersecurity organization GTSC publicized a report outlining attacks they have seen in the wild targeting as-yet unpatched vulnerabilities in Microsoft Exchange. When successfully exploited, this combination of vulnerabilities results in an authenticated remote code execution (RCE) attack. Until a patch has been issued, Microsoft has posted a security bulletin detailing a workaround.

CVE CVSSv3 Products Affected
CVE-2022-41040 8.8 MS Exchange 2013, 2016, 2019
CVE-2022-41082 8.8 MS Exchange 2013, 2016, 2019

Editor’s note: This blog was posted on September 30, 2022. Devo will continually monitor this situation and make updates to detections on an ongoing basis. Keep checking back here for the latest.

Indicators of Compromise

The bulk of the following IOCs are provided by the GTSC report:

Webshell1:

File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File Name: Xml.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx

Filename: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx

IP1:

125[.]212[.]220[.]48 5[.]180[.]61[.]17 47[.]242[.]39[.]92 61[.]244[.]94[.]85 86[.]48[.]6[.]69 86[.]48[.]12[.]64 94[.]140[.]8[.]48 94[.]140[.]8[.]113 103[.]9[.]76[.]208 103[.]9[.]76[.]211 104[.]244[.]79[.]6 112[.]118[.]48[.]186 122[.]155[.]174[.]188 125[.]212[.]241[.]134 185[.]220[.]101[.]182 194[.]150[.]167[.]88 212[.]119[.]34[.]11

URL1:

hxxp://206[.]188[.]196[.]77:8080/themes.aspx

C21:

    137[.]184[.]67[.]33

User-agent1:

GTSC notes that AntSword was used to interface with dropped web shells, identified by the user-agent string.
Default UA strings for AntSword appear to follow the “antSword/vX.Y” format.

Possible Detections

The Devo SciSec team has provided the following queries customers can use to help detect attack attempts in their organizations:

 

from proxy.all.access where dstIp=206.188.196.77
from firewall.all.traffic where srcIp=137.184.67.33 or dstIp=137.184.67.33
from edr.all.threats where sha256hash=u002265a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5u0022 or sha256hash=u0022b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268cau0022 or sha256hash=u0022c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1u0022 or sha256hash=u0022be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257u0022 or sha256hash=u0022074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82u0022 or sha256hash=u002245c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9u0022 or sha256hash=u00229ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0u0022 or sha256hash=u002229b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3u0022 or sha256hash=u0022c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2u0022 or sha256hash=u002276a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701eu0022
from firewall.all.traffic where srcIp=137.184.67.33 or dstIp=137.184.67.33
from edr.all.threats
where sha256hash=u002265a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5u0022 or sha256hash=u0022b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268cau0022 or sha256hash=u0022c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1u0022 or sha256hash=u0022be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257u0022 or sha256hash=u0022074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82u0022 or sha256hash=u002245c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9u0022 or sha256hash=u00229ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0u0022 or sha256hash=u002229b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3u0022 or sha256hash=u0022c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2u0022 or sha256hash=u002276a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701eu0022
from web.all.access
where toktains(raw,u0022/Autodiscover/autodiscover.jsonu0022)
select method, userAgent, url, raw, str(srcIp) as entity_sourceIp, serverName as entity_servername
group every 5m by method, userAgent, url, srcIp, serverName, statusCode
where `or` (statusCode=302, statusCode=200, statusCode=401)
where `or`(weaktoktains(url, u0022powershellu0022), weaktoktains(url, u0022/mapi/u0022)

References

  1. https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
  2. https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html
  3. https://borncity.com/win/2022/09/30/microsofts-empfehlungen-fr-die-exchange-server-0-day-schwachstelle-zdi-can-18333/
  4. https://success.trendmicro.com/dcx/s/solution/000291651?language=en_US
  5. https://www.bleepingcomputer.com/news/security/new-microsoft-exchange-zero-days-actively-exploited-in-attacks/
  6. https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
  7. https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c