Background / What has happened?
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) is aware of 2 zero day vulnerabilities associated with Microsoft Exchange Server 2013, 2016 and 2019 (Exchange). Whilst the ASD's ACSC has seen exploitation attempts we are not aware of successful exploitation within Australia.
Microsoft has released information on the vulnerabilities, along with mitigations and detections:
CVE’s have been assigned:
- CVE-2022-41082 – Remote Code Execution Vulnerability
- CVE-2022-41040 – Elevation of Privilege Vulnerability
Historical CVE’s related to ProxyShell:
- CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
- CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
Mitigation / How do I stay secure?
Refer to Microsoft advice, which contains mitigation and detections advice. Additional information can be found in Microsofts blog.
Organisations that have not deployed mitigations at this point, or who have seen successful exploitation should look for post exploitation activity including deployment of webshells.
Assistance / Where can I go for help?
The ASD's ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ASD's ACSC via cyber.gov.au/report or 1300 CYBER1 (1300 292 371).