Threat actors are exploiting previously undisclosed Microsoft Exchange zero-day bugs allowing remote code execution, according to claims by security researchers from Vietnamese cybersecurity firm GTSC, who have been the first to spot and report attacks.
Attackers chain the pair of zero-days to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as laterally move to other systems on victims’ networks.
“The vulnerability is found to be so critical that it allows the attacker to do RCE on the compromised system,” the researchers said.
GTSC suspects that a Chinese threat group is responsible for attacks based on the Web Shells Code Page, a Microsoft character encoding for Simplified Chinese.
The user agent used to install web shells also belongs to Antsword, a China-based open-source website administration tool with support for managing web shells.
Microsoft has so far not disclosed any information regarding the two security flaws and has not yet assigned a CVE identifier to track them.
The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.
“GTSC immediately submitted the vulnerability to the Zero Day Initiative (ZDI) to work with Microsoft so that a fix can be prepared as soon as possible,” they added. “ZDI checked and acknowledged 2 bugs, with CVSS scores of 8.8 and 6.3.”
Trend Micro issued a security advisory Thursday evening confirming that it had submitted to Microsoft the two new Microsoft Exchange zero-day vulnerabilities discovered by GTSC.
The company has already added detections for these zero-days to its IPS N-Platform, NX-Platform or TPS products.
Reports indicate that a new zero day exists in Microsoft Exchange and is being actively exploited in the wild
I can confirm that a significant number of Exchange servers were hijacked – including a honeypot.
The thread to track the issue follows:
— Kevin Beaumont (@GossiTheDog) September 29, 2022
GTSC has released very few details regarding these zero-day bugs. Yet its researchers revealed that the queries used in this exploit chain are similar to those used in attacks targeting ProxyShell vulnerabilities.
The exploit works in two steps:
- Requests in format similar to the ProxyShell vulnerability: autodiscover/[email protected]/
&Email=autodiscover/autodiscover.json%[email protected] . - Using the link above to access a component in the backend where the RCE could be implemented.
“The version number of these Exchange servers indicated that the latest update had already been installed, so an exploit using the Proxyshell vulnerability was impossible,” the researchers said.
Temporary attenuation available
Until Microsoft releases security updates to resolve the two zero days, GTSC shared a temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module :
- In Autodiscover at FrontEnd, select the URL Rewrite tab, then Request Blocking.
- Add string “.*autodiscover.json.*@.*Powershell.*” to the URL path.
- Condition entry: choose {REQUEST_URI}
“We recommend that all organizations/companies around the world that use Microsoft Exchange Server check, review and apply the above temporary remedy as soon as possible to avoid possible serious harm,” GTSC added.
Administrators who want to check if their Exchange servers have ever been compromised using this exploit can run the following PowerShell command to analyze IIS log files for indicators of compromise:
Get-ChildItem -Recurse -Path -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover.json.*@.*200 Spokespersons for Microsoft and ZDI were not immediately available for comment when contacted by BleepingComputer earlier today.
This is a developing story.
Update 9/29/22 7:02 PM EST: Added information on Trend Micro’s notice of the two zero days.
#Microsoft #Exchange #zeroday #actively #exploited #attacks