Yet another zero-day vulnerability has been actively exploited out in the wild and it affects Microsoft Exchange Outlook Web Access servers (OWA), leaving them vulnerable to remote code execution (RCE). Cyber security research firm, GTSC, discovered two security flaws that enable the attack vector and released a detailed report surrounding their findings in order to help alert organisations that could be impacted. The research team suspects that a Chinese-based hacking group is responsible for the attack as the webshell codepage is 936 (a Microsoft character encoding for simplified Chinese).
Upon discovery and validation of the exploits the team at GTSC worked with the Zero Day Initiative (ZDI) to report their findings. The Zero-Day exploit was verified by ZDI and disclosed to Microsoft so that work on a patch could begin immediately. Currently, ZDI is tracking the two exploits as ZDI-CAN-18333 and ZDI-CAN-18802 and have given them Common Vulnerability Scoring System (CVSS) scores of 8.8 and 6.3 respectively.
A security advisory was released on September 29, confirming the disclosure of the two vulnerabilities discovered by GTSC. While a patch is in the works and details about the vulnerability are still emerging, GTSC has revealed that the exploit chain is similar to attacks that targeted a previously addressed ProxyShell vulnerability.
Having triaged the findings, it appears a patch for ProxyShell that was released in 2021 did not solve the problem. The two new vulnerabilities have been documented as CVE-2022–41040 and CVE-2022–41082. Security researcher, Kevin Beaumont has dubbed this recent zero-day vulnerability, ProxyNotShell. The researcher noted that exploiting the vulnerability simply requires an authenticated user account, which could be any email. That makes this an especially risky attack vector as most organisations are susceptible to compromised credentials.
How the Microsoft Exchange Server Exploit Works
Attacks using this zero-day vulnerability, ProxyNotShell, on the Microsoft Exchange OWA servers are carried out in two stages. The research team confirmed that the attack could be carried out on the servers with the latest software versions, ruling out the above mentioned ProxyShell vulnerability as a possible method of exploit.
Stage 1
Similar to the format of the ProxyShell vulnerability, researchers first discovered the exploit request in a customer log as follows:
autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com
Stage 2
The above path can then be used to access a component in the Exchange server backend, where the attacker can perform remote code execution to exfiltrate data and begin to move laterally within a network.
Microsoft’s OWA is a browser-based email client that makes it easy for users to access email, calendars, tasks and contacts and is being used by numerous organisations today.
Immediate Mitigation Steps for the OWA Exploit
Until a security update can be released, GTSC has offered a method for mitigating the threat by adding a rule to the Microsoft servers via the URL Rewrite Rule module as follows,
- 1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
- 2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
- 3. Condition input: Choose {REQUEST_URI}
You can also check if your Exchange server has been compromised using a PowerShell command to scan the log files for suspicious activity:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200
The team at GTSC is recommending all organisations that are using Microsoft Exchange server to do their due diligence, add the rule, and reduce their risk as soon as possible. We couldn’t agree more.
Zero Trust to Protect Against ProxyNotShell Exchange Server Exploits
The persistent risk of being the next organisation to be compromised is all too real especially with the frequency zero-day exploits are discovered. The cost of a cyber attack is not just financial, it affects your customers, your sensitive corporate data, and even your reputation.
Defending against threats and mitigating your cyber risk starts with a defense in depth strategy that can help your organisation reduce your attack surface, making it harder for malicious actors to breach your systems. One method for significantly improving your cyber posture is Zero Trust Network Access. Zero Trust is an “Always Verify” security framework that micro-segments all resources, isolating risk.
Agilicus AnyX makes it easy to deploy a Zero Trust security framework that centralises resource management and micro-segments down to the device level. The platform can help protect against the recent exploit affecting Microsoft Exchange OWA servers ensuring your resources are accessible to the the right users without being visible on the public internet. This is by the Agilicus Connector which creates an outbound only connection from a resource helping you block lateral traversal and prevent unauthorised traffic.
Mitigating the risk of ProxyNotShell being exploited in your environment with the above steps could help your organisation stay protected. But it would also be prudent to take the next step in improving your cyber posture by stopping your OWA server from presenting on the public internet.
Get in Touch
Properly implementing a Zero Trust Network Access framework could be the difference between a system-wide breach and a truly isolated incident. When it comes improving your cyber posture, Agilicus AnyX is designed to micro-segment users and resources, enforce least privilege access, and requires any user to verify their identity using native credentials and multi-factor authentication to gain access.
Get in touch with our team today, and learn how Zero Trust can help you improve your cyber resilience and defend against attacks.