EclecticIQ Threat Research Team
October 13, 2022

New Microsoft Exchange Server Zero-Day Vulnerabilities

Blog

tap-19-2022

Politics and Policy Keynotes: Nord Stream 1 & 2 Pipeline Destruction Overshadows Moscow Granting Citizenship to Former NSA Contractor Edward Snowden

In late September, Danish armed forces discovered leaks from undersea pipes in the Baltic Sea. (3) These leaks were caused by the suspected sabotage of the Russian (Gazprom) owned Nord Stream 1 and Nord Stream 2 pipelines. It is still not clear as to who may have sabotaged these pipelines, or if it even was sabotage, but the Kremlin was quick to suggest that the United States had the most to gain from the supposed destruction of property by increasing their prices of liquified natural gas (LNG). (8Both Ukraine and Poland are pointing their fingers at the Kremlin, (1) but Moscow has and is still denying these accusations. (4) The Nord Stream pipelines inadvertently became pawns in the conflict between Russia and Ukraine; since June, Russia has significantly reduced the amount of gas transported through Nord Stream 1 and shut it down in late August due to “problems with equipment”. Analysts suggest this was a result of the imposed sanctions from the West on Russia. (7)

Also occurring on the 26th of September, Moscow granted Russian citizenship to former National Security Agency (NSA) U.S. contractor Edward Snowden. Snowden is facing espionage charges in the U.S. after exposing classified NSA files pertaining to numerous domestic and global surveillance programs without proper authorization. (17) It is unclear as to why Snowden has been granted Russian citizenship, but it could be argued that this is an act to further escalate tensions between the West and Russia, or also possible, an attempt to make this controversial move at a time that it is less likely to gain widespread publicity. In 2017 Putin said that Snowden, “who keeps a low profile while living in Russia, was wrong to leak U.S. secrets, but should not be considered a traitor.” (20) Russia’s drastic reduction in gas supplies over the last few months, its ongoing actions in Ukraine, and the deliberate choice to provide a haven to a known U.S. adversary, mean that the opportunity to jump-start de-escalatory negotiations is becoming more difficult.

Malware: New Microsoft Exchange Server Zero-Day Vulnerabilities

Vietnam-based security researchers at cybersecurity firm GTSC discovered two zero-day vulnerabilities which targeted Microsoft Exchange servers and can be tracked as CVE-2022-41040 (server-side request forgery (SSRF)) and CVE-2022-41082 (remote code execution if the attacker has access to PowerShell). (14) The details, shared publicly last week by GTSC, were confirmed by Microsoft. (13) GTSC suspects the Chinese threat group perpetrators were chaining the pair of zero-day vulnerabilities to deploy Chinese Chopper web shells on any compromised servers for persistence and data theft, as well as moving laterally to other systems on the compromised network. The high severity of these vulnerabilities is caused by the possibility of remote code execution (RCE) on the compromised system(s). (12)

The stages this exploit works in are:

  1. Receiving requests with a similar format to the ProxyShell vulnerability: autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com.

  2. The use of the link above to access a component in the backend where the RCE could be implemented. (12)

The link to ‘evil[.]com’ is a reference to Evil Corp, an international, but primarily Russian cybercrime network that makes use of malicious software to steal funds from their victims. Known victims include Garmin, as well as banks, charities, and schools. The US Department of Justice has dubbed them “cyber-enabled bank robbers” because of the millions (>$100m) of dollars they have stolen. (15, 16)

Also confirmed by Microsoft, GTSC has provided successful temporary mitigations to block these attacks until Microsoft releases a security update addressing these two zero-day vulnerabilities. (12)

Adding a new IIS server rule by way of the URL Rewrite Rule module:

  1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.

  2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
  3. Condition input: Choose {REQUEST_URI}

GTSC recommends that all organizations and/or enterprises that currently use Microsoft Exchange servers check, review, and apply the above temporary mitigation to avoid the potentially considerable damage that could arise if the exploit is successful. (11) It is also possible for administrators that want to verify the integrity of their Exchange servers to run the following PowerShell command to scan IIS log files for any indicators of compromise (IoC’s):

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’

About EclecticIQ Intelligence & Research Team

EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

Please refer to our support page for guidance on how to access the feeds.

You might also be interested in:

Network Environment-Focused Conversations Needed in Approaches to Cyber Security

Emotet Downloader Document Uses Regsvr32 for Execution

AI Facial Recognition Used in Ukraine/Russia War Prone to Vulnerabilities

Appendix

  1. https://www.forbes.com/sites/michaelshellenberger/2022/09/27/nato-says-sabotage-behind-destruction-of-natural-gas-pipelines/?sh=4aa243216162https://www.reuters.com/business/energy/fourth-leak-found-nord-stream-pipelines-swedish-coast-guard-says-2022-09-29/
  2. https://www.defenseone.com/ideas/2022/09/nord-stream-leaks-underline-gray-zone-risks/377701/
  3. https://www.bbc.com/news/world-europe-60131520
  4. https://www.reuters.com/business/energy/pressure-defunct-nord-stream-2-pipeline-plunged-overnight-operator-2022-09-26/
  5. https://www.theguardian.com/world/2022/feb/22/germany-halts-nord-stream-2-approval-over-russian-recognition-of-ukraine-republics
  6. https://www.theguardian.com/world/2022/sep/05/russia-will-not-resume-gas-supplies-to-europe-until-sanctions-lifted-says-moscow
  7. https://www.reuters.com/business/energy/russias-gazprom-says-pressure-nord-stream-pipelines-has-stabilised-2022-10-03/
  8. https://www.scientificamerican.com/article/what-do-mysterious-nord-stream-methane-leaks-mean-for-climate-change/
  9. https://greekreporter.com/2022/09/30/nord-stream-gas-leak-climate-disaster/
  10. https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
  11. https://www.bleepingcomputer.com/news/security/new-microsoft-exchange-zero-days-actively-exploited-in-attacks/
  12. https://www.bleepingcomputer.com/news/security/microsoft-exchange-server-zero-day-mitigation-can-be-bypassed/
  13. https://healthitsecurity.com/news/microsoft-exchange-zero-day-vulnerabilities-may-impact-healthcare-cybersecurity
  14. https://www.bbc.com/news/technology-59297187
  15. https://www.techtarget.com/searchsecurity/definition/Evil-Corp#:~:text=Evil%20Corp%20is%20an%20international,largest%2C%20most%20harmful%20hacking%20group.
  16. https://www.theguardian.com/us-news/2022/sep/26/putin-grants-russian-citizenship-to-us-whistleblower-edward-snowden
  17. https://www.bbc.com/news/world-europe-63036991
  18. https://www.reuters.com/world/europe/putin-grants-russian-citizenship-us-whistleblower-edward-snowden-2022-09-26/
  19. https://www.washingtonpost.com/world/2022/09/26/putin-snowden-citizenship-russia/
  20. https://www.npr.org/2022/09/26/1125109303/putin-edward-snowden-russian-citizenship
  21. https://www.newyorker.com/news/daily-comment/edward-snowdens-real-impact

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo