220,000 servers are at risk under a high-intensity Microsoft Exchange 0-day attack

Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and put an estimated 220,000 people worldwide at serious risk.

Unpatched security flaws are being actively exploited since Vietnam-based security firm GTSC discovered that customer networks were infected with malicious webshells and that the initial entry point was some kind of Exchange vulnerability. The mysterious exploit looked similar to an Exchange zero-day called ProxyShell from 2021, but customers’ servers were all patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, researchers found unknown hackers exploiting the new Exchange vulnerability.

Webshells, backdoors and fake sites
“After successfully mastering the exploit, we reported the attacks to gather information and gain a foothold in the victim’s system,” the researchers wrote in a post published on Wednesday. “The attack team used a variety of techniques to create backdoors on the affected systems and perform lateral movements to other servers in the system.”

On Thursday evening, Microsoft confirmed that the vulnerabilities were new and said it was scrambling to develop and release patches. The new vulnerabilities are: CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, which allows remote code execution when PowerShell is accessible to an attacker.

“At this time, Microsoft is aware of limited targeted attacks using two vulnerabilities to gain access to users’ systems,” wrote members of the Microsoft Security Response Center team. “In these attacks, CVE-2022-41040 could enable an authenticated attacker to remotely trigger CVE-2022-41082.” Team members emphasized that successful attacks require valid credentials for at least one email user on the server.

The vulnerability affects on-premises Exchange servers and not, strictly speaking, Microsoft’s hosted Exchange service. The big caveat is that many organizations using Microsoft’s cloud offerings opt to use a mix of on-premises and cloud hardware. These hybrid environments are just as vulnerable as standalone on-premises.

Searches on Shodan indicate that there are currently more than 200,000 on-premises Exchange servers exposed to the Internet and more than 1,000 hybrid configurations.
Wednesday’s GTSC post said attackers are taking advantage of the zero-day to infect servers with Webshell, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading researchers to believe that the hackers are fluent in Chinese. The commands issued are also signed by China Chopper, a webshell used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be supported by the People’s Republic of China.

GTSC further stated that the threat actors who install the malware ultimately emulate Microsoft’s Exchange web service. It makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in binary. Independent researcher Kevin Beaumont said only one user at the address hosted the fake website with a one-minute login time and had been active since August.

The malware then sends and receives data encrypted with an RC4 encryption key generated at runtime. Beaumont added that the backdoor malware appears to be new, meaning it’s the first time it’s been used in the wild.

People running on-premises Exchange servers should take immediate action. Specifically, they should implement blocking rules that prevent servers from accepting known attack patterns. The rule can be applied by going to “IIS Manager -> Default Web Site -> URL Rewrite -> Actions”. For the time being, Microsoft also recommends that people block HTTP port 5985 and HTTPS port 5986, which attackers must use to exploit CVE-2022-41082.

Microsoft’s advisory has several other suggestions for detecting infections and preventing exploits until patches are available.