Zero-Day Vulnerability – Microsoft Exchange

What we know

UPDATE 01-Oct-22: Microsoft Security Threat Intelligence released updated mitigation guidance through their blog. This is noted in the Mitigations section.

GreyNoise is investigating claims of multiple zero-day vulnerabilities in Microsoft Exchange Server, nicknamed ProxyNotShell.

Microsoft announced these are being tracked under the following CVEs:

• The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability
• The second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker

Microsoft has reserved CVEs, but details have been added to the MITRE database:

• CVE-2022-41040
• CVE-2022-41082

These vulnerabilities are also being tracked by Zero-Day Initiative (ZDI), who demonstrated the exploit on Twitter, under ZDI-CAN-18333 and ZDI-CAN-18802.

GreyNoise is currently monitoring for any activity matching indicators described in the original vulnerability write-up.

This vulnerability is similar to (but not the same as) ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

How to track ProxyNotShell in GreyNoise

GreyNoise has released a single tag for tracking IPs checking for the presence of a vulnerability to ProxyNotShell:

• Exchange ProxyNotShell Vuln Check

GreyNoise is actively monitoring for additional information needed to track and tag ProxyNotShell Vuln Attempts.

Users can also search for the vulnerabilities using GNQL by CVE - 

<span class="code-block" fs-test-element="rich-text">cve:CVE-2022-41040 OR cve:CVE-2022-41082</span>

‍

or by tag name - 

<span class="code-block" fs-test-element="rich-text">tags:"Exchange ProxyNotShell Vuln Check"</span>

‍

‍Please note that this tag is not the same as the tags for tracking for ProxyShell (2021):

• Exchange ProxyShell Vuln Check
• Exchange ProxyShell Vuln Attempt

What GreyNoise has observed

Additionally, the write-up authors note that they “detected exploit requests in IIS logs with the same format as ProxyShell vulnerability.” Using this information, GreyNoise researchers searched historical sensor records from 2021-01-01 to 2022-09-29 for Proxyshell-related backend paths. GreyNoise has not observed any new backend paths in use since 2021-08-27.

The GreyNoise Analyzer shows that four of the IOC IPs have been observed by GreyNoise:

‍

Of these, 104[.]244[.]79[.]6 and 185[.]220[.]101[.]182 are Tor exits:

• https://metrics.torproject.org/exonerator.html?ip=104.244.79.6&timestamp=2022-08-01&lang=en
• https://metrics.torproject.org/exonerator.html?ip=185.220.101.182&timestamp=2022-08-01&lang=en

GreyNoise did not observe any OWA-related traffic from them in the past year.

The other two IPs, 137[.]184[.]67[.]33, the C2, and 103[.]9[.]76[.]208 can be seen here:

• https://viz.greynoise.io/ip/137.184.67.33
• https://viz.greynoise.io/ip/103.9.76.208

At this time, GreyNoise has not observed anything believed to be related to the vulnerability from these IPs in the past year.

Ongoing Monitoring

Microsoft indicated that CVE-2022-41040 could enable an authenticated attacker to trigger CVE-2022-41082 remotely. This vulnerability is similar to the 2021 ProxyShell vulnerability, which involved fabricating an authentication token. At this time, we lack the information necessary to determine if “ProxyNotShell” leverages a similar authentication token leak.

Mitigations

Microsoft Security Threat Intelligence is releasing official up-to-date mitigation guidance through their blog. 

Additionally, anyone can download the Blocklist for ‘Exchange ProxyNotShell Vuln Check’ to block at their firewall. For more information on how this works, please see GreyNoise documentation on Firewall Blocking with GreyNoise Trends.

There is currently no patch available for these vulnerabilities. We will update this blog with more information as it becomes available.