Categories: Tech

Actively exploited new Microsoft Exchange zero-day vulnerabilities

Security researchers at Vietnamese cybersecurity outfit GTSC, who discovered and reported the assaults first, allege that threat actors are using yet-to-be-disclosed Microsoft Exchange zero-day vulnerability to enable remote code execution.

 

In order to migrate laterally to other systems on the victims’ networks and to install Chinese Chopper web shells on compromised servers for persistence and data theft, the attackers are chaining the two zero-day vulnerabilities.

 

The researchers stated that the vulnerability “turns out to be so serious that it permits the attacker to do RCE on the compromised system.”

 

Based on the code page, a Microsoft character encoding for simplified Chinese, of the web shells, GTSC surmises that a Chinese threat group is behind the attacks.

 

The open-source website administration programme Antsword, with a Chinese origin and support for web shell management, also owns the user agent used to install the web shells.

 

Microsoft has not yet provided any details about the two security holes and has not given them a CVE ID to be tracked.

 

Three weeks ago, the researchers confidentially informed Microsoft of the security flaws via the Zero Day Initiative, which later tracked them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts verified the problems.

 

“GTSC submitted the vulnerability to the Zero Day Initiative (ZDI) right away to work with Microsoft so that a patch could be prepared as soon as possible,” they added. “2 defects with CVSS scores of 8.8 and 6.3 were verified and recognised by ZDI.”

 

Thursday night, Trend Micro published a security alert stating that they had notified Microsoft of the two fresh Microsoft Exchange zero-day vulnerabilities that GTSC had found.

 

The company’s IPS N-Platform, NX-Platform, or TPS products already have detections for these zero-day vulnerabilities.

 

 

There aren’t much specifics about these zero-day issues that GTSC has disclosed. However, the queries utilised in this exploit chain are identical to those used in attacks that target the ProxyShell vulnerabilities, according to its experts.

 

The exploit has two phases to it:

requests with a structure resembling the ProxyShell flaw: autodiscover/autodiscover.json?@evil.com/Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com.

the use of the aforementioned connection to gain access to a backend component where the RCE might be used.

According to the version number of these Exchange servers, the most recent upgrade had already been installed, making it impossible to exploit the Proxyshell vulnerability, according to the researchers.

 

available temporary mitigation
The GTSC released a temporary solution that would stop attack attempts by installing a new IIS server rule using the URL Rewrite Rule module until Microsoft publishes security patches to fix the two zero-days:

 

Request blocking can be found under the tabs URL Rewrite and Autodiscover at FrontEnd.

The URL Path should now include the string “.*autodiscover.json.*@.*Powershell.*”.

Input condition: Select REQUEST URI.

In order to prevent potential serious losses, GTSC advised all businesses utilising Microsoft Exchange Server to check, review, and implement the aforementioned temporary fix as soon as possible.

 

The following PowerShell programme will search IIS log files for signs of breach to see whether any Exchange servers have already been compromised using this exploit:

 

Path IIS Logs in Get-ChildItem -Recurse -Path When approached by BleepingComputer earlier today, Microsoft and ZDI spokespeople were not immediately available for comment. -Filter “*.log” | Select-String -Pattern “powershell.*autodiscover.json.*@.*200”

 

This story is still developing.

 

Added details about Trend Micro’s advise on the two zero-days as of 9/29/22 at 7:02 PM Eastern Time.

 

soumyadip77

Share
Published by
soumyadip77

Recent Posts

‘His death is a great loss’ – President Higgins pays touching tribute to Irish music star’s father after tragic passing

Flaunt Weeekly PRESIDENT Michael D Higgins has paid tribute to the father of a member…

5 hours ago

Hozier Plays the Pogues’ “Fairytale of New York” on Saturday Night Live: Watch

Flaunt Weeekly Hozier returned to Saturday Night Live for the NBC program’s final pre-Christmas episode…

6 hours ago

Our Favourite Queer Artists Made Billboard’s 2024 Top Pop Stars List

Flaunt Weeekly Chappell Roan, Charli xcx and Billie Eilish have all made Billboard’s 10 Greatest…

6 hours ago

Vale James Simpson: Tributes Flow For Musician After Tragic Death

Flaunt Weeekly The Australian music and theatre industry is in mourning this weekend following the…

6 hours ago

Salman Khan starrer Sikandar to mark debut of Kalki 2898 AD composer Santosh Narayanan: Reports

Flaunt Weeekly Santhosh Narayanan, renowned for his music compositions in South Indian cinema, is set…

6 hours ago

Hozier Brings Christmas Vibes to ‘Saturday Night Live’ With Emotional Performance and Changed Lyrics to ‘Fairytale of New York’

Flaunt Weeekly Hozier was the musical guest on “Saturday Night Live‘s” Christmas edition Saturday night,…

8 hours ago