microsoft-exchange-vulnerability

Analysis

On 29th September 2022, Microsoft Security Response Centre published a blog on two reported zero-day vulnerabilities in its Microsoft Exchange server 2013, Exchange server 2016, and Exchange server 2019.

The first vulnerability is the Microsoft Exchange Server Elevation of privilege a vulnerability classified as CVE-2022-41040 with a CVSS (Common Vulnerability scoring system) of 8.1 and the second vulnerability is Microsoft Exchange Server Remote code execution vulnerability which is classified as CVE-2022-41082 with a CVSS of 8.3.

It was also reported that the vulnerabilities are actively exploited in the wild and suspect the Chinese attack groups are behind the exploitation of the vulnerability.

MSTIC observed the activity in august 2022 by a single activity group which gets initial access and compromise exchange servers by chaining two CVEs CVE-2022- 41040 and CVE-2022-41082, the attackers install the chopper web shell to facilitate hands-on-keyboard access, to use for AD (Active directory) reconnaissance and data exfiltration.

Mitigation

Follow the mitigation steps suggested by MSRC from the below link, https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Detection

Create rules based on known indicators of malware in the SIEM (Security incident event management) tool for the detection of malware.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name

Resource Development

T1586.002 Compromise Accounts: Email Accounts
Execution T1059.003

Command and Scripting Interpreter: Windows Command Shell

Execution T1047 Windows Management Instrumentation
Persistence T1505.003 Server Software Component: Web Shell
Defense Evasion T1070.004  Indicator Removal on Host: File Deletion
Defense Evasion T1036.005 Masquerading: Match Legitimate Name or Location
Defense Evasion T1620  Reflective Code Loading Credential

Credential Access

T1003.001 Credential Dumping: LSASS Memory
Discovery T1087 Account Discovery
Discovery T1083 File and Directory Discovery
Discovery T1057  Process Discovery
Discovery T1049 System Network Connections Discovery Lateral

Lateral Movement

T1570 Lateral Tool Transfer
Collection T1560.001

Archive Collected Data: Archive via Utility

 

Indicators of Compromise (IOCs)

Type Indicator
URL hxxp://206[.]188[.]196[.]77:8080/themes.aspx
C2 137[.]184[.]67[.]33
IP

125[.]212[.]220[.]48

5[.]180[.]61[.]17

47[.]242[.]39[.]92

61[.]244[.]94[.]85

86[.]48[.]6[.]69

86[.]48[.]12[.]64

94[.]140[.]8[.]48

94[.]140[.]8[.]113

103[.]9[.]76[.]208

103[.]9[.]76[.]211

104[.]244[.]79[.]6

112[.]118[.]48[.]186

122[.]155[.]174[.]188

125[.]212[.]241[.]134

185[.]220[.]101[.]182

194[.]150[.]167[.]88

212[.]119[.]34[.]11

SHA256

074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d824

5c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9

9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0

29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3

c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

 

References

Microsoft MSRC

Microsoft Security

 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

Enquiry Now