At least in one cybersecurity firm’s user base, the ProxyShell-like vulnerability is unexploited; but prompt patches have not been released either
Two zero day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 are currently under further investigation.
The first, CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. The first vulnerability can enable an authenticated attacker to remotely trigger CVE-2022-41082, but either vulnerability can be exploited separately as long as the attack has authenticated access.
As of 3 October, Microsoft and other security companies have indicated that the exploitation of these vulnerabilities is still limited to targeted attacks. Also, according to investigators from Cybereason:
- The vulnerabilities have been identified due to known exploitation, but malicious actors exploiting these vulnerabilities have not be discovered by the team.
- As they are similar to ProxyShell and ProxyLogon, they have been dubbed ProxyNotShell.
- At the time of reporting, Microsoft has not yet provided any patch for the ProxyNotShell vulnerabilities, but has provided mitigations. Until the patch is provided, Microsoft has provided the following mitigation measure:
- Add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns.
- Use the tool released by Microsoft to mitigate CVE-2022-41040
- Cybereason rates this threat as HIGH, and recommends the following measures:
- Search for anomalous .aspx files directories associated with the Microsoft Internet Information Services (IIS) component, in which adversaries often deploy web shells after exploiting ProxyNotShell. These include: Inetpub\wwwroot\aspnet_client, \Program Files\Microsoft\Exchange Server\V*\FrontEnd\HttpProxy\owa\auth\inetpub\wwwroot\aspnet_client\, \Program Files\Microsoft\Exchange Server\V*\FrontEnd\HttpProxy\owa\auth\, and subdirectories of \Users\All Users\
- Look for these files using the following command: Get-ChildItem -Recurse -Path
-Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200
Based on the search results, take further remediation actions, such as isolating the infected machines and deleting the payload file.