This week’s reporting revisits the two Microsoft Exchange zero-day vulnerabilities that were disclosed last week, as researchers have since warned that threat actors can bypass the mitigations provided by Microsoft. The vulnerabilities are tracked as CVE-2022-41040 (CVSS: 8.8| OVSS: 68), a server-side request forgery vulnerability, and CVE-2022-41082 (CVSS: 8.8| OVSS: 68), which enables remote code execution if the adversary has access to PowerShell. The initial disclosure of the vulnerabilities identified that Chinese-linked adversaries had successfully chained the vulnerabilities together to deploy China Chopper web shells on compromised servers.

Microsoft provided temporary URL Rewrite Instructions until the patch is released, however, a security researcher has found that the URL pattern only focused on known exploits and can easily be bypassed by threat actors. The researcher has advocated implementing a less specific, alternative string as a rule in the Internet Information Services (IIS) Manager that covers a wider range of exploits: ‘.*autodiscover\.json.*Powershell.*’

Key Vulnerabilities

  1. CVE-2022-41082
    A former zero-day remote code execution vulnerability (CVSS: 8.8|OVSS: 68) is enabled if the adversary has access to PowerShell. This vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019 instances and was discovered alongside CVE-2022-41040. Since our last reporting, a researcher has warned that the mitigations provided by Microsoft are not sufficient and can be bypassed by threat actors.
  2. CVE-2022-41352
    A remote code execution vulnerability (CVSS: 9.8|OVSS: 55) affecting versions 8.8.15 and 9.0 of Zimbra Collaboration Suite, an enterprise collaboration software and email platform. The vulnerability is triggered by the method in which Zimbra’s antivirus engine (Amavis) scans inbound emails and enables an unauthenticated threat actor to create and overwrite files on the Zimbra server. The vulnerability, which remains unpatched, has been actively exploited since early September 2022. Researchers have released a Proof-of-Concept and Indicators-of-Compromise to assist enterprise defenders with detection.
  3. CVE-2022-35951
    An integer overflow vulnerability (CVSS: 9.8|OVSS: 27) affecting versions 7.0.0 up to 7.0.5 of Redis, an in-memory database. The vulnerability is triggered when an app attempts to perform a process when it does not have enough space in its allocated memory, which causes the data to overflow into other parts of the system’s memory and overwrite it. Executing an `XAUTOCLAIM` command with a specially crafted `COUNT` argument may cause an integer overflow and a subsequent heap overflow, enabling remote code execution. Researchers have warned that threat actors are actively exploiting vulnerable Redis servers.

Key Intelligence Reports

  1. Zero-day Microsoft Exchange vulnerability mitigation can be bypassed
    Researchers have warned that mitigations for two new Microsoft Exchange zero-day vulnerabilities are not enough and can be bypassed by threat actors. Read full report >>
  2. Nation-state unit deploys Impacket and CovalentStealer to exfiltrate sensitive data from US defence entities
    Between November 2021 and January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to a state-sponsored espionage unit operation targeting the US Defence Industrial Base (DIB) organisation’s enterprise network to steal sensitive data. Read full report >>
  3. Linux-based Cheerscrypt ransomware linked to Chinese-linked espionage unit APT10
    Researchers have linked the Linux-based ransomware Cheerscrypt to the Chinese-linked cyber-espionage group APT10 (also known as Bronze Starlight, DEV-0401 and Emperor Dragonfly). Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)