Overview
In September of 2022, GTSC reported a critical infrastructure attack that took place in August of 2022. The investigation revealed that the threat actor used two zero-day vulnerabilities in Microsoft Exchange Server in the attack. The vulnerabilities were later identified as CVE-2022-41040 and CVE-2022-41082. The exploitation of these two vulnerabilities was used to create a backdoor on a vulnerable server and perform lateral movement.
The discovery of CVE-2022-41040 and CVE-2022-41082, dubbed by the cybersecurity community as ProxyNotShell, led Microsoft to release two patches to cover the vulnerabilities.
Blackpoint Cyber notified its partners that it is actively monitoring the CVE-2022-41080 and CVE-2022-41082 vulnerabilities exploited in tandem to bypass previous Microsoft Exchange ProxyNotShell (CVE-2022-41040) mitigations, which allow access to unauthorized internal resources. Previously, the mitigation step issued by the GTSC was to complete the temporary containment measures. However, this new attack chain can be used to bypass the recommended URL request blocking mitigations, making it critical to make sure servers are patched.
To mitigate this risk, organizations are advised to patch systems using Microsoft’s latest November 2022 latest patch releases for all three vulnerabilities.
Sources
- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
- https://www.securityweek.com/ransomware-uses-new-exploit-bypass-proxynotshell-mitigations
- https://securelist.com/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange/108364/