Microsoft Exchange On-Prem Critical Vulnerabilities - CVE-2022-41080, CVE-2022-41082

CVE: CVE-2022-41080, CVE-2022-41082

What Is Vulnerable?

Microsoft Exchange Server (On-Premises) 2013, 2016, 2019 devices that have not applied update KB5019758 released on November 8.

What’s Happening?

There has been an increase of attacks against On-Prem Exchange Servers that are utilising Microsofts URL Rewrite mitigiations as a defence against CVE-2022-41080 and CVE-2022-41082.
Threat actors are chaining vulnerabilities CVE-2022-41080 and CVE-2022-41082 to infiltrate networks and deploy ransomware.

Key Facts

Attackers are using SSRF vulnerability CVE-2022-41040 to target the backend PowerShell service through Outlook Web Access.
Once the PowerShell service has been reached, vulnerability CVE-2022-41082 is exploited to execute arbitrary commands on the device.

What You Can Do

System Administrators are advised to:

• Immediately apply update KB5019758 to On-Prem Microsoft Exchange Servers which remediates these issues.
• Inspect their systems for PowerShell sessions spawned by IIS creating outbound connections including to the following IPs: 45.76.141[.]84, 45.76.143[.]143

Detections rules that have been associated with this attack vector:

Attacker Technique - PowerShell Registry Cradle

Suspicious Process - PowerShell System.Net.Sockets.TcpClient

Suspicious Process - Exchange Server Spawns Process

PowerShell - Obfuscated Script

Webshell - IIS Spawns PowerShell

Additional follow-on detection behaviours observed with this type of compromise include:

Attacker Technique - Plink Redirecting RDP

Attacker Technique - Renamed Plink

Suspicious Process - Started From Users Music Directory

Further information on the vulnerability is available Microsoft, Rapid7, CrowdStrike

Cythera Vulnerability Management Clients are actively being scanned for any vulnerable instances of Microsoft Exchange.