This is a follow up to notifications we sent out regarding the potential for attackers to obtain Remote Control Execution (RCE) access to on-premise and hybrid Microsoft Exchange servers by leveraging CVE-2022-41082. This notification currently effects:
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019
Please note this is for organizations that maintain Microsoft Exchange on premise servers or a hybrid configuration.
This is not a notification of activity we are currently seeing on networks being monitored by Critical Insight.
Back in October 2022, Microsoft recommended mitigation of CVE-2022-41082 by creating a rule to block URL Rewrites. Recently, both Rapid7 and Crowdstrike have noted and responded to attackers performing bypasses to the URL rewrite mitigations through the privilege escalation vulnerabilities in OWA (CVE-2022-41080), allowing attackers to chain this vulnerability with CVE-2022-41082 to achieve privileged access.
CVE-2022-41080 – Microsoft Exchange Server Escalation of Privilege Server Side Request Forgery (SSRF) vulnerability in Autodiscover endpoint of Microsoft Exchange Outlook Web Access (OWA)
CVE-2022-41082 – Remote Code Execution (RCE) that allows RCE when PowerShell is accessible to the attacker.
IOCs noted by these companies include PowerShell being spawned by IIS (w3wp.exe) to create outbound network connections to: