Try in Splunk Security Cloud

Description

Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Risk, Web
  • Last Updated: 2022-09-30
  • Author: Michael Haag, Splunk
  • ID: 4e3f17e7-9ed7-425d-a05e-b65464945836

Narrative

Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.

Detections

Name Technique Type
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
Detect Exchange Web Shell Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services TTP
Detect Webshell Exploit Behavior Server Software Component, Web Shell TTP
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application, External Remote Services TTP
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
ProxyShell ProxyNotShell Behavior Detected Exploit Public-Facing Application, External Remote Services Correlation
W3WP Spawning Shell Server Software Component, Web Shell TTP
Windows Exchange Autodiscover SSRF Abuse Exploit Public-Facing Application, External Remote Services TTP
Windows MSExchange Management Mailbox Cmdlet Usage Command and Scripting Interpreter, PowerShell Anomaly

Reference

source | version: 1