Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform

Travis Smith

Last updated on: October 28, 2022

On September 29, 2022, active attacks against Microsoft Exchange were reported by Vietnamese cybersecurity company GTSC. The researcher at GTSC reported two critical vulnerabilities (now named “ProxyNotShell”) in Microsoft Exchange Server via two advisories issued by Zero Day Initiative: ZDI-CAN-18333 and ZDI-CAN-18802.

The first flaw (CVE-2022-41040) is a Server-Side Request Forgery (SSRF) vulnerability. The second flaw (CVE-2022-41082) allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft mentions that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.  

On September 30, 2022, Microsoft released an advisory acknowledging that they are “aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.”

Threat actors are chaining these two zero-day vulnerabilities to deploy Chinese Chopper web shells on vulnerable Microsoft Exchange Servers for persistence and data theft. Based on the code on these web shells, GTSC suspects that these threat actors are based in China. As a result, CISA has added these vulnerabilities to its list of Known Exploited Vulnerabilities Catalog.

These vulnerabilities affect the following versions of Exchange Server:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Qualys Vulnerability Coverage (QID)

Qualys customers can use the following QID to identify potentially vulnerable assets in their environments.

QIDTitleRelease Versions
50122Microsoft Exchange Server Multiple Vulnerabilities (Zero Day)VULNSIGS-2.5.596-5 or later and QAGENT-SIGNATURE-SET-2.5.596.5-4 or later

Detect ProxyNotShell Using Qualys VMDR

Here are the steps that your organization can take to rapidly respond to the zero-day threat of ProxyNotShell using Qualys VMDR.

Identify Microsoft Exchange Server Assets

The first step in managing these critical vulnerabilities and reducing risk is identification of your potentially vulnerable assets. Qualys VMDR makes it easy to identify Windows Exchange Server systems.

Use the following Qualys Query Language (QQL) string:

operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)

Qualys CSAM displays inventory of all Microsoft Exchange Server assets

Once the hosts are identified, they can be grouped together with a ‘dynamic tag’, for example: “ProxyNotShell Exchange Server 0-day”. This helps in automatically grouping existing hosts with the zero-days as well as any new Windows Exchange Server that is provisioned in your environment. Tagging makes these grouped assets available for querying, reporting, and management throughout the Qualys Cloud Platform.

Using the VMDR Dashboard, you can track ‘Exchange 0-day’, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.

Read the Article (Qualys Customer Portal): ProxyNotShell Exchange Server 0-Day Dashboard | Critical Global View

Exchange Server 0-Day Dashboard in Qualys VMDR

Discover ProxyNotShell Exchange Server Zero-Day Vulnerabilities

Now that hosts running Microsoft Exchange Server are identified, you will want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always up-to-date Qualys KnowledgeBase (KB).

You can see all your impacted hosts for this vulnerability tagged with the ‘Exchange Server 0-day’ asset tag in the vulnerabilities view by using this QQL query:

VMDR query: vulnerabilities.vulnerability.qid: 50122

Qualys VMDR isolates all Exchange Server assets with the vulnerability QID 50122

QID 50122 is available in signature version VULNSIGS-2.5.596-5 and above. It can be detected using authenticated scanning or the Qualys Cloud Agent manifest version 2.5.596.5-4 and above.

Microsoft Guidance for Risk Mitigation of ProxyNotShell

Microsoft has released Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server [msrc-blog.microsoft.com]. According to the blog post, “Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.” The two vulnerabilities are CVE-2022-41040 and CVE-2022-41082, affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019.

Note: Microsoft Exchange Online is not affected. 

An attacker could exploit these vulnerabilities to take control of an affected system.

Remediation/Mitigation of ProxyNotShell

Qualys Patch Management and Qualys Custom Assessment and Remediation (CAR) customers can leverage the scripting capabilities of both products to deploy mitigation actions to their Exchange Servers.

By leveraging Qualys CAR’s scripting capabilities or Patch Management’s pre-actions capabilities, customers can deploy a PowerShell script to apply the mitigations recommended by Microsoft.

Refer to the Qualys scripting library on GitHub for the mitigation script and execute it via Qualys CAR on required assets.

As per the mitigation introduced by MS, Qualys Policy Compliance customers can evaluate mitigation on MS Exchange targets with control:

24782 Status of the ‘URL Rewrite Instructions’ configured for the site and applications

24802 Status of the ‘Remote PowerShell access’ setting enabled for users

Detect Malicious Behavior related to ProxyNotShell using Qualys Multi-Vector EDR

Based on the post-exploitation activity from multiple threat actors, Qualys Multi-Vector EDR customers can hunt for the following malicious activities: 

  1. Detecting usual children of w3wp.exe such as: 
  • csc.exe 
  • transcodingservice.exe 
  • werfault.exe 
  • powershell 
  • powershell_ise 
  • python 
  • curl.exe 
  1. Detecting webshell-like files with the following extensions being written on an Exchange Server: 
  • .ashx 
  • .aspx 
  • .asmx 
  • .asax 

Detect Exploitation Attempts related to ProxyNotShell using Qualys Context XDR 

Interested Qualys Context XDR customers can contact their Technical Account Managers for the following rules: 

  1. T1190 – [Akamai WAF] ProxyNotShell RCE Vulnerability Exploitation Detected (CVE-2022-41040/CVE-2022-41082) 
  1. T1190 – ProxyNotShell RCE Vulnerability Exploitation Detected (CVE-2022-41040/CVE-2022-41082) 
  1. T1190 – [Trend Micro TippingPoint IPS] ProxyNotShell RCE Vulnerability Exploitation Detected 
  1. T1190 – ProxyNotShell RCE Vulnerability Exploitation Detected via Firewall (CVE-2022-41040/CVE-2022-41082) 

With Qualys Context XDR, customers have the power to write their own detections as well. An example of a generic rule that detects ProxyNotShell attempts is shown below: 

Indicators of Compromise (IOCs) for ProxyNotShell

FilenamesSHA256 HashPath
Pxh4HG1v.ashxc838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1%ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\
RedirSuiteServiceProxy.aspx65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5%ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\
RedirSuiteServiceProxy.aspxb5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca%ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\
xml.ashxc838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 
errorEE.aspxbe07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257%ProgramFiles%\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\
Dll.dll074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 
Dll.dll45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 
Dll.dll9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 
Dll.dll29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 
Dll.dllC8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 
180000000.dll76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e 

Contributors

  • Bharat Jogi, Director, Vulnerability and Threat Research, Qualys
  • Mehul Revankar, VP, Product Management & Engineering for VMDR, Qualys
  • Mayuresh Dani, Manager, Threat Research, Qualys
  • Lavish Jhamb, Solution Architect, Compliance Solutions, Qualys
  • Eran Livne, Senior Director, Endpoint Remediation, Qualys
  • Mukesh Choudhary, Compliance Research Analyst, Qualys
  • Mohd Anas Khan, Compliance Research Analyst, Qualys
  • Arun Pratap Singh, Engineer, Threat Research, Qualys
  • David Lu, Senior Engineer, Threat Research, Qualys
  • Felix Jimenez Saez, Director, Product Management. Qualys
Show Comments (3)

Comments

Your email address will not be published.

  1. Why isn’t there a “Last Updated” comment anywhere on this page? How do we know if this article incorporates all the changes they’ve made?