MS Exchange zero-days: The calm before the storm?
CVE-2022-41040 and CVE-2022-41082, the two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
But mitigating the risk of exploitation until patches are ready will require patience and doggedness, as Microsoft is still revising its advice to admins and network defenders, and still working on the patches.
Exchange zero-days: The current situation
CVE-2022-41040 and CVE-2022-41082 have been publicly documented last Wednesday, by researchers with Vietnamese company GTSC, and Microsoft soon after sprung into (discernible) action by offering customer guidance, followed by an analysis of the attacks exploiting the two vulnerabilities.
Several changes have been made to the documents since then, after the company found and other researchers pointed out several shortcomings:
T'is fixed, hoorah. https://t.co/BxQFs4iMZy
— Kevin Beaumont (@GossiTheDog) October 1, 2022
For the record this is the section Microsoft removed from the ProxyNotShell blog, and didn’t document they had removed it.
If you made firewall changes to prevent RCE, it didn’t work. https://t.co/p2ClqcLyZE pic.twitter.com/rxokkWz4xz
— Kevin Beaumont (@GossiTheDog) October 1, 2022
And the problems are far from over – defenders should expect more changes soon:
If you are relying on the MS mitigation for #ProxyNotShell, it doesn’t work, I’ve verified. MS might want to read the Exchange source code. https://t.co/5ZYrvUTI8q
— Kevin Beaumont (@GossiTheDog) October 3, 2022
That last tweet refers to the PowerShell script delivering mitigation via the Exchange Emergency Mitigation (EM) service.
What should you do?
Microsoft says its threat analysts observed “activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks,” and that the attackers breached fewer than 10 organizations globally.
“MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization,” they added.
The other good news is there are still no public exploits for the two vulnerabilities.
But, Microsoft says, “Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.”
Enterprise defenders should expect trouble via this attack path in the near future, it seems, so keeping abreast of the changing situation and springing into action as quickly as possible once the patches are made available is advised.
UPDATE (October, 2022, 06:18 a.m. ET):
Scammers have started impersonating security researchers and offering non-existing PoC exploits for CVE-2022-41082 for sale via GitHub:
This is related to what appears to be numerous repos being made for vulns with no patch available offering what looks like a PoC in exchange for crypto (scam) https://t.co/HJTrtEqFtH
— Ryan (@allthevulns22) September 30, 2022