Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. [UPDATE] Zero-day Vulnerabilities Affecting Microsoft Exchange Server
Alerts

[UPDATE] Zero-day Vulnerabilities Affecting Microsoft Exchange Server

30 September 2022

Security researchers have discovered two zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) affecting Microsoft Exchange Server 2013, 2016, and 2019. These vulnerabilities are reportedly being actively exploited in the wild.

Successful exploitation of the vulnerabilities could allow an authenticated attacker to perform unauthorised Remote Code Execution (RCE) on a compromised system.

A patch for the vulnerabilities is currently not available. As a workaround, system administrators of affected on-premises Microsoft Exchange servers are advised to add a rule to block requests with indicators of attack through the URL Rewrite Rule module on the Internet Information Services (IIS) server, and block exposed Remote PowerShell ports (HTTP: 5985 and HTTPS: 5986) as soon as possible until a patch is made available.

Microsoft has confirmed that system administrators can refer to the following URL Rewrite Instructions to break the current chain of attack:

  1. Open the IIS Manager.

  2. Expand the Default Web Site.

  3. Select Autodiscover.

  4. In the Feature View, click URL Rewrite.

  5. In the Actions pane on the right-hand side, click Add Rules. 

  6. Select Request Blocking and click OK.

  7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.

  8. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.

  9. Change the condition input from {URL} to {REQUEST_URI}.

System administrators can also consider running the following PowerShell command to search through their IIS logs to determine if their Exchange Servers have been compromised by the zero-day vulnerabilities.

  • Get-ChildItem -Recurse -Path -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200

System administrators are advised to refer to Microsoft's website for more detection techniques regarding the vulnerabilities and for patch updates.

More information is available here:

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server

https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

Back to top