On September 29, Microsoft security researchers announced two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 affecting Microsoft Exchange Server. The vulnerabilities allow remote code execution (RCE) when used in tandem. It is important to note that both require authenticated access to the desired server before exploitation. Trend Micro gave the two vulnerabilities severity ratings of 8.8 and 6.3 out of 10, respectively.
According to researchers, CVE-2022-41082 is closely related to the ProxyShell vulnerability from 2021, CVE-2021-34473. The request string disclosed from the recent exploit is identical to that of last year’s vulnerability, and the mitigation provided by Microsoft is the same as well.
Imperva Threat Research has observed considerable related attacker activity targeting last year’s ProxyShell vulnerability (CVE-2021-34473) recently. Threat Research rules and policies may also be picking up attacks targeting the new exploits (CVE-2022-41040 and CVE-2022-41082).
GTSC, the company who discovered these vulnerabilities in August, believes that a Chinese threat actor may be behind the attacks observed so far. Per GTSC, the attacks include a Chinese character encoding and the China Chopper webshell for persistent remote access, which is a backdoor commonly used by likely state-sponsored Chinese hacking groups.
Given existing blocking rules that mitigate the CVE-2021-34473 proxyshell vulnerabilities, these new CVEs are mitigated out of the box by both Imperva Cloud WAF and WAF Gateway. If customers wish to implement a manual mitigation based on the advisory from Microsoft, it can be found here. Microsoft noted that the CVEs only impact on-premise Exchange servers, so Exchange Online Customers do not currently need to take any action.
As always, Imperva Threat Research continues to monitor the situation and will provide updates as new information emerges.
Try Imperva for Free
Protect your business for 30 days on Imperva.
