Last week, reports emerged about two unpatched zero-day vulnerabilities affecting Microsoft Exchange servers that have already been exploited in the wild.
One of the flaws (CVE-2022-41082) is a code injection issue that allows a remote user with access to PowerShell Remoting execute arbitrary code on vulnerable Exchange systems, while the second bug (CVE-2022-41040) allows a remote attacker to perform SSRF attacks. A China-linked threat group have been observed exploiting the vulnerabilities to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks.
While Microsoft has yet to release security updates to fix the bugs, collectively dubbed “ProxyNotShell,” it provided mitigations to help users prevent such attacks. The company also recommended Exchange Server customers to “disable remote PowerShell access for non-admin users” in the organization.”
However, security researchers warn that these measures can be easily bypassed.
“The URL pattern to detect/prevent the Exchange 0day provided in MSRC's blog post can easily be bypassed. The DLL can be modified by dnSpy and confirmed working well without any side-effect,” security researchers who goes online as Jang wrote in a tweet.
Cybersecurity researcher Will Dormann has agreed with Jang’s assessment and said that the '@' in Microsoft’s URL block “seems unnecessarily precise, and therefore insufficient.”
Interestingly enough, scammers are already taking advantage of the situation offering fake proof-of-concept exploits for CVE-2022-41040 and CVE-2022-41082 on GitHub for as little as $420. Security researchers spotted five now-removed accounts attempting to sell the fake exploits ('jml4da', 'TimWallbey', 'Liu Zhao Khin (0daylabin)', 'R007er', and 'spher0x.') and a scam account impersonating Kevin Beaumont (aka GossTheDog), a well-known cybersecurity researcher.