Share This:

Researchers from GTSC found a new zero-day vulnerability for Microsoft Exchange Server in the wild. Upon successful exploitation, threat actors can perform RCE (Remote Code Execution) via a backdoor onto the compromised system. GTSC has released a report outlining the current information surrounding this vulnerability. While a patch for this vulnerability is not yet available from Microsoft, GTSC recommends Microsoft Exchange users to add a rule to block certain requests from processing and options to detect for the exploit within your systems.

Barracuda XDR currently has rules in place to pick up on relevant IoCs & TTPs (Indicators of compromise & Tactics, Techniques, and Procedures).

What is the threat?

This attack occurs through a zero-day vulnerability of Microsoft Exchange Server 2013, 2016, and 2019. A zero-day vulnerability is an unknown security vulnerability or software flaw that a threat actor can target with malicious code. When this vulnerability is exploited, it allows the attacker to perform RCE via a backdoor on the compromised systems. This is considered an “enable an authenticated attacker” attack since authentication is required to access the servers. After extensive research from GTSC, the team has discovered the vulnerability and submitted it to ZDI (Zero Day Initiative). The upcoming ZDI advisories for these vulnerabilities are labelled ZDI-CAN-18802 (CVSS Score 6.3) and ZDI-CAN-18333 (CVSS Score 8.8). The company is currently in contact with Microsoft, who has yet to confirm the vulnerability.

Why is it noteworthy?

Given the nature of a zero-day vulnerability, there is typically no immediate patch or remediations offered once they are discovered, making it very dangerous and can have severe repercussions for customers once it is exploited. On the business side, Microsoft Exchange Server is one of the most widely used mailing and calendaring services used across the globe. This means that many businesses can fall victim to this zero-day vulnerability, and it is important for them to act when the opportunity arises.

What is the exposure or risk?

The Microsoft Exchange Server zero-day can lead to severe exposure and risk. Upon a successful exploitation, a threat actor can create a backdoor into the victim’s systems. This can lead to lateral movement within the network to other servers, giving the attacker a better visual of the assets within the victim’s infrastructure. This type of intrusion can lead to RCE to perform data theft, malware deployment and much more.

What are the recommendations?

Barracuda MSP recommends the following actions to remediate this vulnerability:

  • Add a rule to block requests with indicators of attack through the URL Rewrite Rule module on the IIS server using URL Path String: “.*autodiscover\.json.*\@.*Powershell.*“
  • Read the detection guidelines released by GTSC, which suggest:
    • Run PowerShell command: Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200
    • Download NCSE0Scanner to scan IIS log files (stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder).
  • Follow the official Microsoft mitigation steps for CVE-2022-41040 and CVE-2022-41082
  • Implement the principal of least privilege as much as possible within your organization.

Frequently check for Microsoft patches regarding this vulnerability and install immediately once it’s available.

References

For more in-depth information about the recommendations and references used in this article, please visit the following links:

If you have any questions, please contact our Security Operations Center.


Share This:
Matthew Russo

Posted by Matthew Russo

Matthew is a Cybersecurity Analyst at Barracuda MSP. He's a security expert, working on our Blue Team within our Security Operations Center. Matthew supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *