Mrs. Christiana Kozakou, is the Head of Marketing at Odyssey Cybersecurity, where she leads and oversees strategic marketing efforts for Odyssey and ClearSkies brands around the globe. Her expertise lies in designing and coordinating 360-degree marketing campaigns and crafting effective marketing penetration strategies for exploring new markets. Mrs. Kozakou is a dynamic professional driven by her passion for unleashing potential in every endeavour, leading a team of creative marketers, working together towards one goal: to give voice to Odyssey and its people so the world can become a cyber safer place. Throughout her 10 years career, Mrs. Kozakou has served in key roles in Advertising, Business Development and Digital Marketing in International companies. A fervent believer in empowering women, she served as a dedicated volunteer for IWIB’s International Team, fostering growth and opportunities for aspiring leaders. Her educational background boasts a Master of Business Administration (MBA), Bachelor’s degrees in Marketing and Sociology.
Two New Microsoft Exchange zero-days actively exploited in the wild
Threat Level Description
Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
Description
We have observed that two new zero-day vulnerabilities in Microsoft Exchange Server, have been identified and are actively exploited in the wild.
An attacker, by exploiting these vulnerabilities, could achieve remote code execution on affected systems.
The first vulnerability (CVE-2022-41040) is an authenticated server-side request forgery flaw in Microsoft Exchange Servers. The exploitation could allow an attacker to access a component in the backend where a secondary stage CVE-2022-41082 could be further leveraged (RCE).
The second flaw (CVE-2022-41082) is an authenticated remote code execution vulnerability. It is very similar to ProxyShell, a chain of three vulnerabilities in Exchange Server discovered by Orange Tsai in 2021. However, the original ProxyShell attack chain did not require authentication, while CVE-2022-41082 does.
CVE(s)
Affected Systems
Recommendation(s)
You should immediately proceed with applying the relevant security patches from vendor as soon as its available.
On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports.
The current mitigation is to add a blocking rule in "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to block the known attack patterns.
To apply the mitigation to vulnerable servers, you will need to go through the following steps:
1. Open the IIS Manager.
2. Expand the Default Web Site.
3. Select Autodiscover.
4. In the Feature View, click URL Rewrite.
5. In the Actions pane on the right-hand side, click Add Rules.
6. Select Request Blocking and click OK.
7. Add String “.*autodiscover.json.*@.*Powershell.*” (excluding quotes) and click OK.
8. Expand the rule and select the rule with the Pattern ".*autodiscover.json.*@.*Powershell.*" and click Edit under Conditions.
9. Change the condition input from {URL} to {REQUEST_URI}
Since the threat actors can also gain access to PowerShell Remoting on exposed and vulnerable Exchange servers for remote code execution via CVE-2022-41082 exploitation, Microsoft also advises admins to block the following Remote PowerShell ports:
• HTTP: 5985
• HTTPS: 5986
The following PowerShell command can be used to scan IIS log files for indicators of compromise:
Get-ChildItem -Recurse -Path
You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.