Microsoft Exchange On-Prem Critical Vulnerabilities - CVE-2022-41080, CVE-2022-41082

22 Dec / 2022

Cyber Security

CVE: CVE-2022-41080, CVE-2022-41082

What Is Vulnerable?

Microsoft Exchange Server (On-Premises) 2013, 2016, 2019 devices that have not applied update KB5019758 released on November 8.

What’s Happening?

There has been an increase of attacks against On-Prem Exchange Servers that are utilising Microsofts URL Rewrite mitigiations as a defence against CVE-2022-41080 and CVE-2022-41082.
Threat actors are chaining vulnerabilities CVE-2022-41080 and CVE-2022-41082 to infiltrate networks and deploy ransomware.

Key Facts

Attackers are using SSRF vulnerability CVE-2022-41040 to target the backend PowerShell service through Outlook Web Access.
Once the PowerShell service has been reached, vulnerability CVE-2022-41082 is exploited to execute arbitrary commands on the device.

What You Can Do

System Administrators are advised to:

  • Immediately apply update KB5019758 to On-Prem Microsoft Exchange Servers which remediates these issues.
  • Inspect their systems for PowerShell sessions spawned by IIS creating outbound connections including to the following IPs: 45.76.141[.]84, 45.76.143[.]143

Detections rules that have been associated with this attack vector:

Attacker Technique - PowerShell Registry Cradle

Suspicious Process - PowerShell System.Net.Sockets.TcpClient

Suspicious Process - Exchange Server Spawns Process

PowerShell - Obfuscated Script

Webshell - IIS Spawns PowerShell

Additional follow-on detection behaviours observed with this type of compromise include:

Attacker Technique - Plink Redirecting RDP

Attacker Technique - Renamed Plink

Suspicious Process - Started From Users Music Directory


Further information on the vulnerability is available Microsoft, Rapid7, CrowdStrike

Cythera Vulnerability Management Clients are actively being scanned for any vulnerable instances of Microsoft Exchange.

Resources

You may be interested in

Safeguarding the Australian Health Sector with SASE: Beyond Perimeter Defense

Safeguarding the Australian Health Sector with SASE: Beyond Perimeter Defense Across the Australian healthcare landscape, digital transformatio…

Read More arrow_forward

The Ransomware Playbook

[Updated March 2021] Ransomware incidents are becoming prolific. We’re seeing a steady stream of Australian businesses come to us to help them…

Read More arrow_forward

The Cythera Approach To Incident Response

We’re increasingly assisting more organisations respond to security incidents and breaches, in every industry vertical. If you need some point…

Read More arrow_forward