On September 29, 2022, a blog was released by GTSC outlining a new attack campaign that has been observed utilizing two yet undisclosed vulnerabilities (0-day) that were submitted to Microsoft via Trend Micro's Zero Day Initiative : ZDI-CAN-18333 (CVSS 8.8) and ZDI-CAN-18802 (CVSS 6.3), which could allow an attacker to the ability to perform remote code execution (RCE) on on affected Microsoft Exchange servers.
Update: Microsoft has publicly acknowledged the issue and has issued some initial guidance here . In addition, two CVEs have been publicly assigned to the issues above: CVE-2022-41040 and CVE-2022-41082.
Using Trend Micro Products for InvestigationThe following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Micro Vision One™
Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. The following outline some of the components of Trend Micro Vision One that can used for investigation.
Risk Insights > Executive Dashboard
Customers utilizing the Executive Dashboard component of Risk Insights can view proactive information about Trend Micro rules and mitigations, as well as act on potentially affected devices (if Vulnerability Detection is enabled):
Alternatively, customers may utilize the General Search Query function in Trend Micro Vision One™ to do some preliminary investigation of potential exposure.
1. Open Trend Micro Vision One and navigate to Search.
2. Select General for Search Method.
3. Enter the following query:
eventSubId: 101 AND (FileFullPath:"C:\Perflogs\*.exe" OR FileFullPath:"C:\Perflogs\*.dll" OR FileFullPath:"*Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\*.ashx" OR FileFullPath:"*Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\*.aspx")
4. Execute the search (and save for later if desired).
Curated Intelligence Reports
An updated Curated Intelligence Report in Trend Micro Vision One for this campaign has been added that will automatically conduct some endpoint activity sweeping for XDR customers that have this enabled.
Trend Micro Protection and Detection Against ExploitationFirst and foremost, it is always highly recommended that users apply the vendor's patches when they become available. Unfortunately, as of this time, this is considered a undisclosed 0-day, so an official patch is not yet available from Microsoft; however, they have released some initial guidance here .
As an original submission of the exploit was through the Trend Micro Zero Day Initiative, based on our analysis of the exploit information, Trend Micro can share that we have some existing detection rules and filters that can help provide against potential exploitation of this vulnerability.
Trend Micro Cloud One - Network Security & TippingPoint ThreatDV Malware Protection Filters
- 39522: HTTP: Microsoft Exchange Server Autodiscover SSRF Vulnerability (PWN2OWN ZDI-21-821)
- 41776: ZDI-CAN-18333: Zero Day Initiative Vulnerability (Microsoft Exchange)
Trend Micro Cloud One - Workload Security, Deep Security & Vulnerability Protection IPS Rules
- 1011041 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473 and ZDI-CAN-18802)
- 1011548 - Microsoft Exchange Server Remote Code Execution Vulnerability (ZDI-CAN-18333)
Trend Micro Deep Discovery Inspector (DDI) Rules
- 4593: EXCHANGE SSRF EXPLOIT - HTTP(REQUEST)
- 4624: EXCHANGE EXPLOIT - HTTP(RESPONSE)
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.)
- The associated ASP Webshell is being detected as Backdoor.ASP.WEBSHELL.YXCI4
- The known Chinese Chopper component is detected by Trend Micro Behavior Monitoring solutions
- Several of the IPs listed in the GTSC reports are being blocked at the URL level by Trend Micro Web Reputation Services (WRS) as Malware Accomplices, Disease Vectors or C&C Servers
Other Containment and Detection MeasuresGTSC has outlined in their blog some potential detection and mitigation information in addition to Trend Micro's protection listed above. Trend Micro cannot officially confirm whether or not these are adequate mitigations, but advise customers to read through the blog and take actions if feasible.
Microsoft has also released a blog on the issue with some initial guidance. It is noted that authenticated access to the vulnerable Exchange server is necessary to exploit either of the vulnerabilities.
Trend Micro will continue to update this Security Alert with additional information, such as IOC detection and official patch information as they become publicly available.