On 29 September 2022 Microsoft published an advisory confirming the existence of vulnerabilities impacting Microsoft Exchange. First reported by GTSC Vietnam Technology Services, the vulnerabilities can only be exploited by an authenticated user.
Microsoft reports that the first vulnerability identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the malicious actor.
GTSC has reported that these vulnerabilities have been exploited by malicious actors and has resulted in the deployment of webshells as well as information disclosure, command execution and lateral activity.
Recommended actions
Microsoft has reported that patches are in development but have confirmed that mitigation recommendations, such as those provided by GTSC, are successful in blocking the activity. Those recommendations are available within both the Microsoft and GTSC advisories.
As a result of incident response GTSC compiled several Indicators of Compromise (IOCs) to aid network defenders in the detection of malicious activity. The Cyber Centre recommends affected customers review the Cyber Centre joint cybersecurity advisory on technical approaches to uncovering and remediating malicious activity.
The Canadian Cyber Centre recommends Exchange customers continue to monitor Microsoft advisory spaces and update systems when a patch is made available.
