‘ProxyNotShell’ abuse less severe than 2021 attack wave due to authentication requirement

Microsoft is developing a patch for two actively exploited zero-day vulnerabilities in Microsoft Exchange Server.

The flaws, tracked as CVE-2022-41040 and CVE-2022-41082, were discovered in Microsoft’s enterprise mail server by Vietnamese cybersecurity firm GTSC. Microsoft said it is aware of “a small number of targeted attacks” exploiting the flaws, which impact on-prem Microsoft Exchange Server versions 2013, 2016, and 2019.

The bugs appear to be less dangerous variants – on account of authentication to PowerShell being required – of the critical ProxyShell vulnerabilities that were widely abused in 2021.

RCE chain

In GTSC's original security advisory, researchers said they discovered an attack on “critical” infrastructure made through Exchange Server in August.

The first vulnerability, CVE-2022-41040 (CVSS 8.8), is a server-side request forgery (SSRF) issue. When triggered remotely to launch CVE-2022-41082 (CVSS 6.3), the bug could result in remote code execution (RCE).


Catch up of the latest enterprise security news


As the vulnerabilities are yet to be patched, the full technical details have not been released – but proof-of-concept (PoC) code is expected to appear soon.

GTSC informed Trend Micro’s Zero Day Initiative (ZDI) of its findings. After ZDI verified the flaws and reached out to the Microsoft Security Response Center (MSRC), the Redmond giant confirmed the report and published an analysis of attacks exploiting the flaws.

“Authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately,” Microsoft noted.

Unfortunately, the authentication required is nothing more than a standard user. As a result, cybercriminals could obtain these credentials via theft, credential stuffing, and brute-force attacks.

State-sponsored attacks

According to Microsoft, fewer than 10 organizations worldwide have been targeted by what is likely a “state-sponsored organization”.

GTSC researchers said there are indicators that a Chinese threat group is leveraging Antsword, a Chinese cross-platform website management suite with web shell functionality.

China Chopper, a web shell, has apparently been used to perform Active Directory reconnaissance and data exfiltration. If this sounds familiar, the same web shell was used in attacks exploiting Exchange Server zero-day vulnerabilities in 2021. These attacks were attributed to the state-sponsored Chinese threat group HAFNIUM.


BACKGROUND ‘A whole new attack surface’ – Researcher Orange Tsai documents ProxyLogon exploits against Microsoft Exchange Server


Security researcher Kevin Beaumont has noted similarities between the paths used by the new bugs, which he has dubbed ‘ProxyNotShell’, and the zero days from last year.

Devcore researcher Orange Tsai, who discovered the original, ProxyShell flaws, suggested in a talk at Black Hat USA (PDF) last year that fundamental path confusion issues could see further ProxyShell variants emerge – a prediction that has now come to pass.

Mitigation advice

Microsoft has released customer guidance for mitigating the new bugs while it works on a patch.

The company is urging customers to disable remote PowerShell access for non-administrators immediately. If the Exchange Emergency Mitigation Service (EEMS) is enabled, further mitigations will be applied automatically.

According to the tech giant, Exchange Online customers do not need to take any action. However, Beaumont has queried the wisdom of this statement, given that Microsoft Exchange Online migration involves using hybrid, internet-facing Exchange servers.

“It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available,” Microsoft commented.

CISA has added the two zero-days to the Known Exploited Vulnerabilities Catalog.

Microsoft told The Daily Swig that the company has nothing further to share beyond the published advisories.


YOU MIGHT ALSO LIKE #AttachMe Oracle cloud bug exposed volumes to data theft, hijack