Actively exploited new Microsoft Exchange zero-day vulnerabilities

Security researchers at Vietnamese cybersecurity outfit GTSC, who discovered and reported the assaults first, allege that threat actors are using yet-to-be-disclosed Microsoft Exchange zero-day vulnerability to enable remote code execution.

 

In order to migrate laterally to other systems on the victims’ networks and to install Chinese Chopper web shells on compromised servers for persistence and data theft, the attackers are chaining the two zero-day vulnerabilities.

 

The researchers stated that the vulnerability “turns out to be so serious that it permits the attacker to do RCE on the compromised system.”

 

Based on the code page, a Microsoft character encoding for simplified Chinese, of the web shells, GTSC surmises that a Chinese threat group is behind the attacks.

 

The open-source website administration programme Antsword, with a Chinese origin and support for web shell management, also owns the user agent used to install the web shells.

 

Microsoft has not yet provided any details about the two security holes and has not given them a CVE ID to be tracked.

 

Three weeks ago, the researchers confidentially informed Microsoft of the security flaws via the Zero Day Initiative, which later tracked them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts verified the problems.

 

“GTSC submitted the vulnerability to the Zero Day Initiative (ZDI) right away to work with Microsoft so that a patch could be prepared as soon as possible,” they added. “2 defects with CVSS scores of 8.8 and 6.3 were verified and recognised by ZDI.”

 

Thursday night, Trend Micro published a security alert stating that they had notified Microsoft of the two fresh Microsoft Exchange zero-day vulnerabilities that GTSC had found.

 

The company’s IPS N-Platform, NX-Platform, or TPS products already have detections for these zero-day vulnerabilities.

 

 

There aren’t much specifics about these zero-day issues that GTSC has disclosed. However, the queries utilised in this exploit chain are identical to those used in attacks that target the ProxyShell vulnerabilities, according to its experts.

 

The exploit has two phases to it:

requests with a structure resembling the ProxyShell flaw: autodiscover/autodiscover.json?@evil.com/Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com.

the use of the aforementioned connection to gain access to a backend component where the RCE might be used.

According to the version number of these Exchange servers, the most recent upgrade had already been installed, making it impossible to exploit the Proxyshell vulnerability, according to the researchers.

 

available temporary mitigation
The GTSC released a temporary solution that would stop attack attempts by installing a new IIS server rule using the URL Rewrite Rule module until Microsoft publishes security patches to fix the two zero-days:

 

Request blocking can be found under the tabs URL Rewrite and Autodiscover at FrontEnd.

The URL Path should now include the string “.*autodiscover.json.*@.*Powershell.*”.

Input condition: Select REQUEST URI.

In order to prevent potential serious losses, GTSC advised all businesses utilising Microsoft Exchange Server to check, review, and implement the aforementioned temporary fix as soon as possible.

 

The following PowerShell programme will search IIS log files for signs of breach to see whether any Exchange servers have already been compromised using this exploit:

 

Path IIS Logs in Get-ChildItem -Recurse -Path When approached by BleepingComputer earlier today, Microsoft and ZDI spokespeople were not immediately available for comment. -Filter “*.log” | Select-String -Pattern “powershell.*autodiscover.json.*@.*200”

 

This story is still developing.

 

Added details about Trend Micro’s advise on the two zero-days as of 9/29/22 at 7:02 PM Eastern Time.