New Microsoft Exchange zero-days actively exploited in attacks

Threat actors are exploiting previously undisclosed Microsoft Exchange zero-day flaws to allow remote code execution, according to security researchers from Vietnam’s Cyber ​​Security Department GTSC, who first noticed and reported the attacks.

Attackers chain a pair of zero days to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on victims’ networks.

“The vulnerability appears to be so critical that it allows an attacker to perform RCE on a compromised system,” the researchers said. Infinix Note 12 (2023) and Zero 20 Launched Starting At €218

GTSC suspects that a Chinese threat group is responsible for the attacks based on the web shell code page, which is Microsoft’s character encoding for Simplified Chinese.

The user agent used to install webshells also belongs to Antsword, a Chinese open-source website management tool with support for webshell management.

Microsoft has not yet released any information regarding the two security flaws and has not yet assigned a CVE ID to track them.

The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts verified the issues.

“GTSC immediately submitted the vulnerability to the Zero Day Initiative (ZDI) to work with Microsoft so that a fix can be prepared as soon as possible,” they added. “ZDI has verified and acknowledged 2 bugs with CVSS scores of 8.8 and 6.3.” Coin Master Free Spins & Coins: Today’s links (28 September 2022)

Trend Micro issued a security advisory Thursday evening confirming that it has sent Microsoft two new Microsoft Exchange zero-day vulnerabilities discovered by GTSC.

The company has already added detections for these zero days to its IPS N-Platform, NX-Platform or TPS products.

https://twitter.com/GossiTheDog/status/1575580072961982464?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1575580072961982464%7Ctwgr%5E2a4990146e3946e28a26f50184bf9d97b5b2f5ec%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fnew-microsoft-exchange-zero-days-actively-exploited-in-attacks%2F

GTSC has released very few details about these zero-day bugs. However, its researchers revealed that the requests used in this chain of exploits are similar to those used in attacks targeting ProxyShell vulnerabilities.

Exploitation works in two stages:

  1. Requests with a format similar to the ProxyShell vulnerability: autodiscover/autodiscover.json?@evil.com/&Email=autodiscover/autodiscover.json%3f@evil.com.
  2. Using the link above to access a component in the backend where RCE could be implemented.

“The version number of these Exchange servers indicated that the latest update was already installed, so exploitation using the Proxyshell vulnerability was not possible,” the researchers said. Intel ’13th Gen’ Based i9-13900HK & i7-13700H Laptop Chips Benchmarked, Slower Than Last-Gen

Temporary relief available

Until Microsoft releases security updates to address these two zero days, GTSC shared a temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module:

  1. In Autodiscover on the FrontEnd, select the URL Rewrite tab, then Block Request.
  2. Add the string “.autodiscover.json.\@.Powershell.” to the URL path.
  3. Enter condition: Select {REQUEST_URI}

“We recommend all organizations/businesses worldwide using Microsoft Exchange Server to review, review and apply the above temporary fix as soon as possible to avoid potential serious damage,” GTSC added. How To Save Your Game in Disney Dreamlight Valley

Administrators who want to check that their Exchange servers have not already been compromised using this exploit can run the following PowerShell command to scan the IIS log files for indicators of vulnerability:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'

Spokespeople for Microsoft and ZDI were not immediately available for comment when contacted by BleepingComputer today.

Leave a Comment