Category: Emergent Threat Response

Active Exploitation of IBM Aspera Faspex CVE-2022-47986

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On January 26, 2023, IBM published an advisory for multiple security issues affecting its Aspera Faspex software. The most critical of these was CVE-2022-47986, which is a pre-authentication YAML deserialization vulnerability in Ruby on Rails code. The vulnerability carries a CVSS score of 9.8.

Vulnerability details and working proof-of-concept code have been available since February, and there have been multiple reports of exploitation since then, including the vulnerability’s use in the IceFire ransomware campaign. Rapid7 vulnerability researchers published a full analysis of CVE-2022-47986 in AttackerKB in February 2023.

Rapid7 is aware of at least one recent incident where a customer was compromised via CVE-2022-47986. In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur.

According to IBM, affected products include Aspera Faspex 4.4.2 Patch Level 1 and below. CVE-2022-47986 is remediated in 4.4.2 Patch Level 2.

Logfiles can be found in the folder /opt/aspera/faspex/log by default. Entries related to PackageRelayController#relay_package should be considered suspicious. See AttackerKB for additional in-depth technical analysis.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2022-47986 with an authenticated vulnerability check available as of the February 17, 2023 content release. A remote vulnerability check was released on February 27, 2023. Accuracy improvements to both checks were released March 28, 2023.

Rapid7 Observed Exploitation of Adobe ColdFusion

Rapid7’s Threat Intelligence and Detection Engineering team has identified active exploitation of Adobe ColdFusion in multiple customer environments. The observed activity dates back to January 2023 and has not been tied back to a specific CVE at this time. IOCs are included below.

Rapid7 has existing detection rules within InsightIDR that have identified this activity and have created additional rules based upon this observed behavior. We have also observed  the compromised website, ooshirts[.]com, being used in other attacks dating back to March 2022.

Attacker Behavior

The earliest time frame of compromise identified thus far occurred in early January 2023. Rapid7 discovered evidence indicating that a malicious actor dropped webshells using an encoded PowerShell command. Process start data indicates that ColdFusion 2018 is spawning malicious commands.

Example base64 encoded command executed by malicious actor through ColdFusion:

Rapid7 Observed Exploitation of Adobe ColdFusion

Decoded:

Rapid7 Observed Exploitation of Adobe ColdFusion

Rapid7 Customers

In our current investigations, previously existing and new detections have been observed triggering post exploitation across Rapid7 InsightIDR and Managed Detection & Response (MDR) customers:

Webshell - Possible ColdFusion Webshell In Command Line

This detection identifies common ColdFusion tags being passed in the command line. This technique is used by malicious actors when redirecting strings into files when creating webshells.

Attacker Technique - CertUtil With URLCache Flag

This detection identifies the use of the ‘certutil.exe’ binary with the ‘-urlcache’ flag being passed to it. This technique is used by malicious actors to retrieve files hosted on a remote web server and write them to disk.

Indicators of Compromise

This technique has been observed by malicious actors redirecting strings into files while creating webshells. Look for *.cfm files in ColdFusion webroots containing the following ColdFusion tags:

  • <cfexecute>
  • </cfexecute>

Review process start logs for any abnormal child processes of ColdFusion Server

File items:

Type Value Notes
Filename WOW.TXT ColdFusion WebShell
Filename wow.txt ColdFusion WebShell
Filename www.txt ColdFusion WebShell
Filename www.cfm ColdFusion WebShell
Filename wow1.cfm ColdFusion WebShell
Filename zzz.txt ColdFusion WebShell
Filename dncat.exe DotNetCat
Filename nc.exe NetCat
SHA-256 e77d6a10370db19b97cacaeb6662ba79f34087d6eaa46f997ea4956e2ad2f245 ColdFusion WebShell
SHA-256 2482ab79ecb52e1c820ead170474914761358d3cee16e3377fd6e031d3e6cc25 ColdFusion WebShell
SHA-256 03b06d600fae4f27f6a008a052ea6ee4274652ab0d0921f97cfa222870b1ddc3 ColdFusion WebShell
SHA-256 be56f5ed8e577e47fef4e0a287051718599ca040c98b6b107c403b3c9d3ee148 ColdFusion WebShell
MD5 1edf1d653deb9001565b5eff3e50824a DotNetCat
SHA-1 5d95fb365b9d0ceb568bb0c75cb1d70707723f27 DotNetCat
SHA-256 213079ef54d225c4ca75dd0d57c931bdc613e8c89a2d0dbff88be5b446d231f0 DotNetCat
MD5 470797a25a6b21d0a46f82968fd6a184 NetCat
SHA-1 dac7867ee642a65262e153147552befb0b45b036 NetCat
SHA-256 ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419 NetCat

Network-based indicators:

Type Value Notes
FQDN www.av-iq[.]com Legitimate Compromised Domain
FQDN www.ooshirts[.]com Legitimate Compromised Domain
URL hXXps://www.av-iq[.]com/wow.txt ColdFusion WebShell
URL hXXps://www.ooshirts[.]com/images/zzz.txt ColdFusion WebShell
URL hXXps://www.ooshirts[.]com/images/dncat.exe DotNetCat
URL hXXp://www.ooshirts[.]com/images/nc.exe NetCat

MITRE ATT&CK Tactic/Technique/Subtechniques

TA0042 Resource Development (tactic):

  • T1584 Compromise Infrastructure (technique)
  • T1584.004 Server (sub-technique)

TA0001 Initial Access (tactic):

  • T1190 Exploit Public Facing Application (technique)

TA0002 Execution (tactic):

  • T1059 Command and Scripting Interpreter (technique)
  • T1059.001 PowerShell (sub-technique)
  • T1059.003 Windows Command Shell (sub-technique)

TA0003 Persistence (tactic):

  • T1505 Server Software Component (technique)
  • T1505.003 Web Shell (sub-technique)

TA0011 Command & Control (tactic):

  • T1132 Data Encoding (technique)
  • T1132.001 Standard Encoding (sub-technique)
  • T1572 Protocol Tunneling (technique)

Mitigation Guidance

While we have not tied this behavior back to exploitation of a specific CVE, Adobe released patches for known vulnerabilities in ColdFusion on March 14, 2023. Several of the CVEs patched in version 16 (ColdFusion 2018) and version 6 (ColdFusion 2021) are known to be exploited in the wild.

We strongly advise ColdFusion customers to update to the latest version to remediate known risk, regardless of whether the behavior we have detailed in this blog is related to recent vulnerabilities. We also advise customers to examine their environments for signs of compromise.

InsightVM and Nexpose customers are able to assess their exposure to known Adobe ColdFusion vulnerabilities via recurring vulnerability check coverage.

Eoin Miller contributed to this article.

Active Exploitation of ZK Framework CVE-2022-36537

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

Rapid7 is aware of active exploitation of CVE-2022-36537 in vulnerable versions of ConnectWise R1Soft Server Backup Manager software. The root cause of the vulnerability is an information disclosure flaw in ZK Framework, an open-source Java framework for creating web applications. ConnectWise uses ZK Framework in its popular R1Soft and Recovery products; the vulnerability is being used for remote code execution and the installation of malicious drivers that function as backdoors. After initial access is obtained, attackers have reportedly been able to execute commands on all systems running the agent connected to the R1Soft server.

The advisory and NVD entry for CVE-2022-36537 indicate that ostensibly, the flaw is merely an information disclosure vulnerability. Rapid7 believes this categorization significantly downplays the risk and the impact of CVE-2022-36537 and should not be used as a basis for lower prioritization.

Overview

In May 2022, software company Potix released an update to ZK Framework, an open-source Java framework used to create enterprise web and mobile applications in pure Java. The update addressed CVE-2022-36537, which had been reported to Potix by Code White GmbH’s Markus Wulftange. The vulnerability arises from an issue in ZK Framework’s AuUploader component that allows an attacker to forward a HTTP request to an internal URI. Successful exploitation allows an attacker to obtain sensitive information or target an endpoint that might otherwise be unreachable. Since ZK Framework is a library, CVE-2022-36537 is likely to affect a range of other products in addition to the core framework itself.

In October 2022, security firm Huntress published a blog on a Lockbit 3.0 ransomware incident that included exploitation of CVE-2022-36537 in ConnectWise R1Soft Server Backup Manager software. Threat actors exploited the vulnerability to bypass authentication, deployed a malicious JDBC database driver that allowed for arbitrary code execution, and finally used the REST API to send commands to registered agents—commands that instructed the agents to push ransomware to downstream systems. The malicious JDBC driver also functions as a backdoor into compromised systems.

On February 22, 2023, the NCC Group’s FOX IT team published a similar account of an incident where they had observed threat actors exploiting CVE-2022-36537 against ConnectWise R1Soft servers as far back as November 29, 2022. According to FOX IT’s research, several hundred R1Soft servers were backdoored as of January 2023, of which more than 140 remain compromised. They have a full account of the attack chain and a list of IOCs here.

FOX IT said that the adversary used R1Soft “as both an initial point of access and as a platform to control downstream systems connected via the R1Soft Backup Agent. This agent is installed on systems to support being backed up by the R1Soft server software and typically runs with high privileges. This means that after the adversary initially gained access via the R1Soft server software it was able to execute commands on all systems running the agent connected to this R1Soft server.”

Shodan reports 3,643 instances of ConnectWise R1Soft Server Backup Manager as of March 1, 2023. Multiple public proof-of-concept (PoC) exploits are available dating back to December 2022. On February 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-36537 to its Known Exploited Vulnerabilities (KEV) list and published a warning that “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.”  

As mentioned above, the primary advisory and NVD entry for CVE-2022-36537 both note that the core vulnerability in ZK Framework is an information disclosure flaw (hence the 7.5 CVSSv3 score). In the context of ConnectWise R1Soft, however, the impact of the flaw is remote code execution, not merely information disclosure.

The public PoCs include code that uses the vulnerability to leak the contents of the file /Configuration/database-drivers.zul and expose a unique ID value that is intended to be secret. Once the attacker has this ID value, they can exploit the vulnerability once more to reach an otherwise inaccessible endpoint and upload the malicious database driver.

Affected products


ZK Framework (core)

All versions of ZK Framework from 9.6.1 and below are vulnerable to CVE-2022-36537. Potix released version 9.6.2 to fix this issue on May 4, 2022, alongside several hotfixes for earlier branches (9.6.0, 9.5.1, 9.0.1, and 8.6.4).

Fixed versions of ZK Framework are:

  • 9.6.2
  • 9.6.0.2 (security release)
  • 9.5.1.4 (security release)
  • 9.0.1.3 (security release)
  • 8.6.4.2 (security release)

Workarounds are available, but as always, we strongly recommend applying patches. See Potix’s advisory for further details on affected ZK Framework versions.

ConnectWise products

According to ConnectWise’s advisory, CVE-2022-36537 affects the following products and versions:

  • ConnectWiseRecover v2.9.7 and earlier versions are vulnerable
  • ConnectWise R1Soft Server Backup Manager (SBM): SBM v6.16.3 and earlier versions are vulnerable

ConnectWise R1Soft users should upgrade the server backup manager to SBM v6.16.4 released October 28, 2022 using the R1Soft upgrade wiki.

The advisory also indicates that “affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover (v2.9.9)” as of October 28, 2022.

Mitigation guidance

ConnectWise R1Soft Server Backup Manager users should update their R1Soft installations to a fixed version (v6.16.4) on an emergency basis, without waiting for a regular patch cycle to occur, and examine their environments for signs of compromise. Both Huntress and FOX IT have information on observed indicators of compromise.

ZK Framework users should likewise update to a fixed version immediately, without waiting for a regular patch cycle to occur. As with many library vulnerabilities, assessing exposure may be complex. It’s likely there are additional applications that implement ZK Framework; downstream advisories may include other information about ease or impact of exploitation.

Since ConnectWise R1Soft appears to be the primary vector for known attacks as of March 1, 2023, we strongly advise prioritizing those patches.

Rapid7 customers

Our researchers are currently evaluating the feasibility of adding a vulnerability check for InsightVM and Nexpose.

CVE-2022-21587: Rapid7 Observed Exploitation of Oracle E-Business Suite Vulnerability

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-21587, a critical arbitrary file upload vulnerability (rated 9.8 on the CVSS v3 risk metric) impacting Oracle E-Business Suite (EBS). Oracle published a Critical Patch Update Advisory in October 2022 which included a fix, meanwhile, CISA added CVE-2022-21587 to its Known Exploited Vulnerabilities (KEV) catalog on February 2, 2023.

Oracle E-Business Suite is a packaged collection of enterprise applications for a wide variety of tasks such as customer relationship management (CRM), enterprise resource planning (ERP), and human capital management (HCM).

CVE-2022-21587 can lead to unauthenticated remote code execution.

On January 16, 2023, Viettel Security published an analysis of the issue detailing both the vulnerability's root cause and a method of leveraging the vulnerability to gain code execution. An exploit based on the Viettel Security analysis technique was published on GitHub by “HMs” on February 6, 2023.

Affected products

  • Oracle Web Applications Desktop Integrator as shipped with Oracle E-Business Suite versions 12.2.3 through 12.2.11 are vulnerable.

What we’re seeing

The attacker(s) are using the above-mentioned proof of concept exploit, uploading a perl script, which fetches (via curl/wget) additional scripts to download a malicious binary payload making the victim host part of a botnet.

Rapid7 customers

InsightVM & Nexpose customers: Authenticated vulnerability checks for CVE-2022-21587 have been available since November 2022. Note that these require valid Oracle Database credentials to be configured in order to collect the relevant patch level information.

InsightIDR & Managed Detection & Response (MDR) customers: in our current investigations, the previously existing detections have been triggering post exploitation:

  • Suspicious Process - Wget to External IP Address
  • Attacker Technique - Curl or Wget To Public IP Address With Non Standard Port

We’re also testing new rules more specific to Oracle E-Business Suite.

CVE-2023-22501: Critical Broken Authentication Flaw in Jira Service Management Products

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On February 1, 2023, Atlassian published an advisory for CVE-2023-22501, a critical broken authentication vulnerability affecting its Jira Service Management Server and Data Center offerings. Jira Service Management Server and Jira Service Management Data Center run on top of Jira Core and offer additional features.

According to Atlassian’s advisory, the vulnerability “allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to sign-up tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases:

  • If the attacker is included on Jira issues or requests with these users, or
  • If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users.

Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.”

The vulnerability is not known to be exploited in the wild as of February 6, 2023. We are warning customers out of an abundance of caution given Atlassian products’ popularity among attackers the past two years.

Affected Products

The following versions of Jira Service Management Server and Data Center are vulnerable to CVE-2023-22501:

  • 5.3.0
  • 5.3.1
  • 5.3.2
  • 5.4.0
  • 5.4.1
  • 5.5.0

Atlassian Cloud sites (Jira sites accessed via an atlassian.net domain) are not affected.

Mitigation guidance

Jira Service Management Server and Data Center users should update to a fixed version of the software as soon as possible and monitor Atlassian’s advisory for further information. Atlassian customers who are unable to immediately upgrade Jira Service Management can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround.

Rapid7 customers

A remote (unauthenticated) check for CVE-2023-22501 will be published in the February 6, 2023 InsightVM and Nexpose content release.

Ransomware Campaign Compromising VMware ESXi Servers

On February 3, 2023, French web hosting provider OVH and French CERT issued warnings about a ransomware campaign that was targeting VMware ESXi servers worldwide with a new ransomware strain dubbed “ESXiArgs.” The campaign appears to be leveraging CVE-2021-21974, a nearly two-year-old heap overflow vulnerability in the OpenSLP service ESXi runs. The ransomware operators are using opportunistic “spray and pray” tactics and have compromised hundreds of ESXi servers in the past few days, apparently including servers managed by hosting companies. ESXi servers exposed to the public internet are at particular risk.

Given the age of the vulnerability, it is likely that many organizations have already patched their ESXi servers. However, since patching ESXi can be challenging and typically requires downtime, some organizations may not have updated to a fixed version.

Affected products

The following ESXi versions are vulnerable to CVE-2021-21974, per VMware’s original advisory:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

Security news outlets have noted that earlier builds of ESXi appear to have also been compromised in some cases. It is possible that attackers may be leveraging additional vulnerabilities or attack vectors. We will update this blog with new information as it becomes available.

Attacker behavior

OVH has observed the following as of February 3, 2023 (lightly edited for English translation):

  • The compromise vector is confirmed to use a OpenSLP vulnerability that might be CVE-2021-21974 (still to be confirmed [as of February 3]). The logs actually show the user “dcui” as involved in the compromise process.
  • Encryption is using a public key deployed by the malware in /tmp/public.pem
  • The encryption process is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)
  • The malware tries to shut  down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected, resulting in files remaining locked.
  • The malware creates “argsfile” to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size)
  • No data exfiltration occurred.
  • In some cases, encryption of files may partially fail, allowing the victim to recover data.

Mitigation guidance

ESXi customers should ensure their data is backed up and should update their ESXi installations to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur. ESXi instances should not be exposed to the internet if at all possible. Administrators should also disable the OpenSLP service if it is not being used.

Rapid7 customers

A vulnerability check for CVE-2021-21974 has been available to InsightVM and Nexpose customers since February 2021.

Exploitation of GoAnywhere MFT zero-day vulnerability

Emergent threats evolve quickly. As we learn more about this vulnerability, we will update this blog post with relevant information about technical findings, product coverage, and other information that can assist you with assessment and mitigation.

On Thursday, February 2, 2023, security reporter Brian Krebs published a warning on Mastodon about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT managed file transfer solution. Fortra (formerly HelpSystems) evidently published an advisory on February 1 behind authentication; there is no publicly accessible advisory.

Exploitation of GoAnywhere MFT zero-day vulnerability

According to the advisory, which Krebs quoted directly in his Mastodon post, the vulnerability is a remote code injection flaw that requires administrative console access for successful exploitation. Fortra said that the Web Client interface itself is not exploitable. While administrative consoles and management interfaces should ideally never be exposed to the internet, security researcher Kevin Beaumont noted in a reply to Krebs’s post on Mastodon that there appears to be a fair number of systems (1,000+) exposing administrative ports to the public internet.

The Fortra advisory Krebs quoted advises GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by system. The logical deduction is that Fortra is likely seeing follow-on attacker behavior that includes the creation of new administrative or other users to take over or maintain persistence on vulnerable target systems.

Note that, while this is not mentioned explicitly in the pasted Fortra advisory text, it is also possible that threat actors may be able to obtain administrative access by targeting reused, weak, or default credentials.

Mitigation guidance

While Fortra has published a mitigation, there is no mention of a patch. GoAnywhere MFT customers can log into the customer portal to access direct communications from Fortra.

The following mitigation information has been taken from Krebs’s repost of the Fortra advisory on Mastodon, but has not been verified by our research team:

On the file system where GoAnywhere MFT is installed, edit the file [install_dir]/adminroot/WEB_INF/web.xml.

Find and remove (delete or comment out) the following servlet and servlet-mapping configuration in the screenshot below.

Before:

<servlet>
     <servlet-name>License Response Servlet</servlet-name>
     <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>
     <load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
     <servlet-name>Licenses Response Servlet</servlet-name>
     <url-pattern>/lic/accept/</url-pattern>

After:

<!--

Add these tags to comment out the following section (as shown) or simply delete this section if you are not familiar with XML comments:

<servlet>
     <servlet-name>License Response Servlet</servlet-name>
     <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>
     <load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
     <servlet-name>Licenses Response Servlet</servlet-name>
     <url-pattern>/lic/accept/</url-pattern>
</servlet-mapping>
 -->

Restart the GoAnywhere MFT application. If GoAnywhere MFT is clustered, this change needs to happen on every instance node in the cluster.

Rapid7 customers

The February 3, 2023 content-only release of InsightVM and Nexpose will add support for customers to use the following query to identify potentially affected GoAnywhere MFT instances in their environments:
asset.software.product = 'Managed File Transfer'.

Vulnerability checks may follow if the vendor releases one or more official fixed versions of the application.

Exploitation of Control Web Panel CVE-2022-44877

On January 3, 2023, security researcher Numan Türle published a proof-of-concept exploit for CVE-2022-44877, an unauthenticated remote code execution vulnerability in Control Web Panel (CWP, formerly known as CentOS Web Panel) that had been fixed in an October 2022 release of CWP. The vulnerability arises from a condition that allows attackers to run bash commands when double quotes are used to log incorrect entries to the system. Successful exploitation allows remote attackers to execute arbitrary operating system commands via shell metacharacters in the login parameter (login/index.php).

On January 6, 2023, security nonprofit Shadowserver reported exploitation in the wild. As of January 19, 2023, security firm GreyNoise has also seen several IP addresses exploiting CVE-2022-44877.

Control Web Panel is a popular free interface for managing web servers; Shadowserver’s dashboard for CWP identifies tens of thousands of instances on the internet. There doesn’t appear to be a detailed vendor advisory for CVE-2022-44887, but available information indicates Control Web Panel 7 (CWP 7) versions before 0.9.8.1147 are vulnerable. CWP users should upgrade their versions to 0.9.8.1147 or later as soon as possible.

Rapid7 customers

InsightVM & Nexpose customers: We expect coverage for CVE-2022-44877 to be available in the January 19 content release.

CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products. CVE-2022-47966 stems from a vulnerable third-party dependency on Apache Santuario.
Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Patches were released in October and November of 2022; the exact timing of fixed version releases varies by product.

Organizations using any of the affected products listed in ManageEngine’s advisory should update immediately and review unpatched systems for signs of compromise, as exploit code is publicly available and exploitation has already begun.

Affected products

See ManageEngine’s advisory for CVE-2022-47966 for updated product and version information.

At the time of publication, the vulnerable products are subject to certain caveats according to Zoho’s advisory.

The following list of vulnerable products is subject to the caveats below:
* Vulnerable if configured SAML-based SSO and it is currently active.
** Vulnerable if configured SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

  • Access Manager Plus*
  • Active Directory 360**
  • ADAudit Plus**
  • ADManager Plus**
  • ADSelfService Plus**
  • Analytics Plus*
  • Application Control Plus*
  • Asset Explorer**
  • Browser Security Plus*
  • Device Control Plus*
  • Endpoint Central*
  • Endpoint Central MSP*
  • Endpoint DLP*
  • Key Manager Plus*
  • OS Deployer*
  • PAM 360*
  • Password Manager Pro*
  • Patch Manager Plus*
  • Remote Access Plus*
  • Remote Monitoring and Management (RMM)*
  • ServiceDesk Plus**
  • ServiceDesk Plus MSP**
  • SupportCenter Plus**
  • Vulnerability Manager Plus*

Background

ManageEngine released patches for these products in October and November of 2022.

Rapid7 observed exploitation across organizations as early as January 18, 2023.

Security firm Horizon3 released technical information with a proof of concept (PoC) on January 19, 2023.

Rapid7 customers

InsightVM & Nexpose customers: Our researchers are currently evaluating the feasibility of adding vulnerability checks for as many of the affected products as possible. We expect coverage for ManageEngine ServiceDesk Plus to be available in the January 19 content release.

InsightIDR & Managed Detection & Response customers: the previously existing detections have been triggering post exploitation:

  • Suspicious Process - Zoho ManageEngine Spawns Child
  • Attacker Technique - Plink Redirecting RDP
  • Attacker Technique - Renamed Plink
CVE-2022-41080, CVE-2022-41082: Rapid7 Observed Exploitation of `OWASSRF` in Exchange for RCE

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

Beginning December 20, 2022, Rapid7 has responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as “OWASSRF”, a chaining of CVE-2022-41080 and CVE-2022-41082 to bypass URL rewrite mitigations that Microsoft provided for ProxyNotShell allowing for remote code execution (RCE) via privilege escalation via Outlook Web Access (OWA).

Patched servers do not appear vulnerable, servers only utilizing Microsoft’s mitigations do appear vulnerable.

Threat actors are using this to deploy ransomware.

Rapid7 recommends that organizations who have yet to install the Exchange update (KB5019758) from November 2022 should do so immediately and investigate systems for indicators of compromise. Do not rely on the rewrite mitigations for protection.

Affected Products

The following on-prem versions of Exchange that have not applied the November 8, 2022 KB5019758 update are vulnerable:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

IOCs

In addition to the detection rules included in InsightIDR for Rapid7 customers, other IOCs include:

  • PowerShell spawned by IIS ('w3wp.exe') creating outbound network connections
  • 45.76.141[.]84
  • 45.76.143[.]143
  • 45.76.141[.]84

Example command being spawned by IIS (w3wp.exe):

CVE-2022-41080, CVE-2022-41082: Rapid7 Observed Exploitation of `OWASSRF` in Exchange for RCE

Decoded command where the highlighted string (0x2d4c8f8f) is the hex representation of the IP address 45.76.143[.]143

CVE-2022-41080, CVE-2022-41082: Rapid7 Observed Exploitation of `OWASSRF` in Exchange for RCE

Rapid7 Customers

Customers already have coverage to assist in assessing exposure to and detecting exploitation of this threat.

InsightVM and Nexpose

InsightVM and Nexpose added checks for CVE-2022-41080 and CVE-2022-41082 on November 8, 2022.

InsightIDR

InsightIDR customers can look for the alerting of the following rules, typically seeing several (or all) triggered on a single executed command:

  • Attacker Technique - PowerShell Registry Cradle
  • Suspicious Process - PowerShell System.Net.Sockets.TcpClient
  • Suspicious Process - Exchange Server Spawns Process
  • PowerShell - Obfuscated Script
  • Webshell - IIS Spawns PowerShell
    Additional detections currently being observed with follow-on activity in these compromises include:
  • Attacker Technique - Plink Redirecting RDP
  • Attacker Technique - Renamed Plink
  • Suspicious Process - Started From Users Music Directory

Managed Detection & Response customers

Your customer advisor will reach out to you right away if any suspicious activity is observed in your organization.

Eoin Miller contributed to this article.

Updates

12/21/22 1PM ET: Added additional IOC