2022-10-03
Researchers Say Microsoft’s Mitigations for Exchange Server Zero-Days are Not Robust Enough; Microsoft is Developing Fixes on an “Accelerated Timeline”
Last week, Microsoft released mitigations to help protect users from attacks exploiting a pair of vulnerabilities in Exchange Server. The flaws are being actively exploited, and can be chained to attain remote code execution. Researchers now say that those mitigations can easily be bypassed. Actual patches for the vulnerabilities are not yet available; Microsoft says it is working on an “accelerated timeline” to make fixes available. On Sunday, October 2, Microsoft added this to the mitigation suggestions: “we strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization.“ [Ed: CISA has added the Exchange Server flaws to its Known Exploited Vulnerabilities catalog.]
Editor's Note
This vulnerability is a good example for the need of robust detection engineering to cover post exploit activity. Rules to detect rogue DLLs or webshells will go a long way to detect activity well beyond Exchange flaws.

Johannes Ullrich
The trick is to focus on where you can raise the bar until a patch is released. Allowing Powershell execution only from users who need it is a good first step. These attacks require account takeover. As such, make sure accounts, especially administrative ones, use MFA and are only allowed to connect from authorized devices/services. Employ separation of duties, require administrative accounts not be end user accounts, then monitor their use.

Lee Neely
Read more in
Microsoft: Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
Microsoft: Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
ZDNet: Microsoft: New Exchange Server zero-days already used in attacks, expect more to come
Bleeping Computer: Microsoft Exchange server zero-day mitigation can be bypassed
Ars Technica: High-severity Microsoft Exchange 0-day under attack threatens 220,000 servers