GTSC reviewed the Exchange server version and confirmed the Exchange servers were up to date and the vulnerabilities were indeed new zero days. Compare the above request with the following excerpt from Mandiant’s blog reporting on the discovery of ProxyShell last year, and you’d think this must be an unpatched server exploited by ProxyShell.
The URL requests appear to be identical to the ProxyShell requests seen last year. GTSC’s SOC discovered the following URL requests in a customer’s Microsoft Internet Information Services (IIS) logs: Vulnerabilities DiscussedĬonclusion Details of the Vulnerabilities The Unit 42 Incident Response team can provide personalized assistance.įor more details, please see the conclusion.Malicious URLs and IPs have been added to Advanced URL Filtering.XQL queries provided below can be used with Cortex XDR to help track attempts to exploit these CVEs.Cortex XDR will report related exploitation attempts.Cortex Xpanse can help identify and detect Microsoft Exchange servers that may be a part of your attack surface.A Cortex XSOAR response pack and playbook can automate the mitigation process.Next-Generation Firewalls or Prisma Access with a Threat Prevention security subscription can block sessions related to CVE-2022-41040.Palo Alto Networks customers receive protections from and mitigations for ProxyNotShell in the following ways: In the meantime, they provided mitigations in a blog responding to GTSC’s disclosure of these vulnerabilities.
SPLUNK FILE MONITOR PATCH
Microsoft has yet to release a patch for these vulnerabilities. The exploit does require authentication however, the authentication required is that of a standard user and, based on how easy it is to collect user credentials these days, this is not a high bar to overcome.
SPLUNK FILE MONITOR CODE
The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. The vulnerabilities were assigned CVE-2022-41040 and CVE-2022-41082 and rated with severities of critical and important respectively. Once they determined the scope of the vulnerabilities, GTSC reported the vulnerability to the Zero-day Initiative ( ZDI) to enable further coordination with Microsoft. The exploit was discovered in the wild in what appeared to be a SOC investigation into suspicious activity of one of GTSC’s customers. In early August, GTSC discovered a new Microsoft Exchange zero-day remote code execution (RCE) that was very similar to ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207).
0 kommentar(er)
