Microsoft's mitigation for preventing Exchange Server zero-day exploits can be bypassed

Attackers are chaining two vulnerabilities in active attacks to achieve remote code execution on Microsoft Exchange Server

Microsoft announced last week that it was aware of limited targeted attacks that exploited two zero-day vulnerabilities affecting its Exchange Server software.

At the time, the company also published mitigations for the two vulnerabilities that are tracked as CVE-2022-41040 and CVE-2022-41082.

However, researchers are now warning that Microsoft ' s mitigations for protecting against the exploitation of two flaws are not efficient and may be easily bypassed.

The vulnerabilities were discovered in early August by GTSC, a Vietnamese security firm, while providing security monitoring and incident response for a client whose systems had been targeted.

The malicious queries the GTSC researchers saw in the server logs first led them to believe they could be dealing with a ProxyShell exploit. ProxyShell chains three Exchange vulnerabilities that were addressed last year.

However, GTSC researchers found that the hacked Exchange servers of their client were fully updated, which meant that ProxyShell could not be the cause of the problem.

After reverse engineering, they discovered that these were new security bugs, which had not been reported earlier. GTSC then sent a report to the Zero Day Initiative (ZDI) programme at Trend Micro, where experts confirmed the vulnerabilities and shared them with Microsoft.

CVE-2022-41040 is a server-side request forgery (SSRF) flaw that makes it possible for an authenticated attacker to exploit the second vulnerability (CVE-2022-41082), which in turn allows remote code execution (RCE) via PowerShell.

In its advisory, Microsoft highlights that an attacker needs to be authenticated to exploit CVE-2022-41040.

The company also shared mitigations for on-premise servers as part of the advisory.

Microsoft's suggested mitigation is to use the URL Rewrite engine found under IIS Manager -> Default Web Site -> URL Rewrite -> Actions to block the known attack patterns.

However, a Vietnamese security researcher who uses the Twitter handle Janggggg pointed out on Monday that the blocking rule can be easily bypassed.

Other security experts, such as Will Dormann, a senior vulnerability analyst at ANALYGENCE, confirmed this.

Dormann said that the '@' in Microsoft ' s URL block looks "unnecessarily precise, and therefore insufficient."

Security expert Kevin Beaumont posted a video, warning that an organisation is vulnerable as long as it has an on-premise Exchange Server deployment.

Based on the web shells ' code page - a Microsoft character encoding for simplified Chinese - GTSC suspects that a Chinese gang may be behind the ongoing attacks.

Microsoft is yet to release a patch to address the two vulnerabilities.

The company says Exchange Online users don't need to take any action at the moment since the company has detections and mitigation in place to safeguard customers.

In May, Microsoft researchers discovered a malicious campaign targeting MS-SQL Server by exploiting a built-in PowerShell utility to achieve persistence on compromised machines.

The cyber actors behind the campaign used brute force attacks for the initial breach and then weaponised the built-in sqlps.exe module to seize full control of the SQL Server instance.

In February, ASEC researchers warned that hackers were trying to deploy the Cobalt Strike adversary simulation tool on vulnerable internet-facing SQL Server instances in efforts to steal confidential information from compromised machines.