Analysis
On 29th September 2022, Microsoft Security Response Centre published a blog on two reported zero-day vulnerabilities in its Microsoft Exchange server 2013, Exchange server 2016, and Exchange server 2019.
The first vulnerability is the Microsoft Exchange Server Elevation of privilege a vulnerability classified as CVE-2022-41040 with a CVSS (Common Vulnerability scoring system) of 8.1 and the second vulnerability is Microsoft Exchange Server Remote code execution vulnerability which is classified as CVE-2022-41082 with a CVSS of 8.3.
It was also reported that the vulnerabilities are actively exploited in the wild and suspect the Chinese attack groups are behind the exploitation of the vulnerability.
MSTIC observed the activity in august 2022 by a single activity group which gets initial access and compromise exchange servers by chaining two CVEs CVE-2022- 41040 and CVE-2022-41082, the attackers install the chopper web shell to facilitate hands-on-keyboard access, to use for AD (Active directory) reconnaissance and data exfiltration.
Mitigation
Follow the mitigation steps suggested by MSRC from the below link, https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Detection
Create rules based on known indicators of malware in the SIEM (Security incident event management) tool for the detection of malware.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Resource Development |
T1586.002 | Compromise Accounts: Email Accounts |
Execution | T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
Execution | T1047 | Windows Management Instrumentation |
Persistence | T1505.003 | Server Software Component: Web Shell |
Defense Evasion | T1070.004 | Indicator Removal on Host: File Deletion |
Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or Location |
Defense Evasion | T1620 | Reflective Code Loading Credential |
Credential Access |
T1003.001 | Credential Dumping: LSASS Memory |
Discovery | T1087 | Account Discovery |
Discovery | T1083 | File and Directory Discovery |
Discovery | T1057 | Process Discovery |
Discovery | T1049 | System Network Connections Discovery Lateral |
Lateral Movement |
T1570 | Lateral Tool Transfer |
Collection | T1560.001 |
Archive Collected Data: Archive via Utility |
Indicators of Compromise (IOCs)
Type | Indicator |
URL | hxxp://206[.]188[.]196[.]77:8080/themes.aspx |
C2 | 137[.]184[.]67[.]33 |
IP |
125[.]212[.]220[.]48 5[.]180[.]61[.]17 47[.]242[.]39[.]92 61[.]244[.]94[.]85 86[.]48[.]6[.]69 86[.]48[.]12[.]64 94[.]140[.]8[.]48 94[.]140[.]8[.]113 103[.]9[.]76[.]208 103[.]9[.]76[.]211 104[.]244[.]79[.]6 112[.]118[.]48[.]186 122[.]155[.]174[.]188 125[.]212[.]241[.]134 185[.]220[.]101[.]182 194[.]150[.]167[.]88 212[.]119[.]34[.]11 |
SHA256 |
074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d824 5c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 |
References
Microsoft MSRC
Microsoft Security