New Microsoft Exchange zero-days reportedly exploited in attacks, Actively Exploited, Exploit, Microsoft Exchange, Warning, Zero-Day

Threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution, according to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks.

The attackers are chaining the pair of zero-days to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims’ networks.

“The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,” the researchers said.

GTSC suspects that a Chinese threat group is responsible for the attacks based on the web shells’ code page, a Microsoft character encoding for simplified Chinese.

The user agent used to install the web shells also belongs to Antsword, a Chinese-based open-source website admin tool with web shell management support.

Microsoft hasn’t disclosed any information regarding the two security flaws so far and is yet to assign a CVE ID to track them.

The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.

“GTSC submitted the vulnerability to the Zero Day Initiative (ZDI) right away to work with Microsoft so that a patch could be prepared as soon as possible,” they added. “ZDI verified and acknowledged 2 bugs, whose CVSS scores are 8.8 and 6.3.”

There’s reports emerging that a new zero day exists in Microsoft Exchange, and is being actively exploited in the wild

I can confirm significant numbers of Exchange servers have been backdoored – including a honeypot.

Thread to track issue follows:

— Kevin Beaumont (@GossiTheDog) September 29, 2022

GTSC has released very few details regarding these zero-day bugs. Still, its researchers did reveal that the requests used in this exploit chain are similar to those used in attacks targeting the ProxyShell vulnerabilities.

The exploit works in two stages:

  1. Requests with a similar format to the ProxyShell vulnerability: autodiscover/autodiscover.json?@evil.com/&Email=autodiscover/autodiscover.json%3f@evil.com.
  2. The use of the link above to access a component in the backend where the RCE could be implemented.

“The version number of these Exchange servers showed that the latest update had already installed, so an exploitation using Proxyshell vulnerability was impossible,” the researchers said.

Temporary mitigation available

Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module:

  1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
  2. Add string “.*autodiscover.json.*@.*Powershell.*“ to the URL Path.
  3. Condition input: Choose {REQUEST_URI}

“We recommend all organizations/enterprises around the world that are using Microsoft Exchange Server to check, review, and apply the above temporary remedy as soon as possible to avoid potential serious damages,” GTSC added.

Admins who want to check if their Exchange servers have already been compromised using this exploit can run the following PowerShell command to scan IIS log files for indicators of compromise:

Get-ChildItem -Recurse -Path  -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover.json.*@.*200

Microsoft and ZDI spokespersons were not immediately available for comment when contacted by BleepingComputer earlier today.

TECH NEWS RELATED

19 Ways How You Can Take Care of Your Computer Properly

Computers are electronic devices that contain hundreds of fragile components that have to operate in tandem to make everything work smoothly. If one component goes off, it can cause the whole system to malfunction or cease working entirely.  To avoid this, taking care of computing devices is a good ...

View more: 19 Ways How You Can Take Care of Your Computer Properly

How to Delete a File That is Open in Another Program

Deleting a file is a simple process as long as a program is not currently using it. You cannot delete a file if a program currently uses it. You will need to close the program or process that is using the file and then delete the file to complete ...

View more: How to Delete a File That is Open in Another Program

7 Effective Ways to Fix iTunes Error 0xE800000A on Windows

Usually, when you plug an iPhone into your PC, the “Trust This Computer” prompt appears on the mobile. Then, once you tap the “Trust” option, the device appears in the iTunes application. However, when your device has issues connecting to the Windows system, you get the “iTunes could not ...

View more: 7 Effective Ways to Fix iTunes Error 0xE800000A on Windows

Fix Xbox error code 0x8007000e

In this article, we will talk about the ways to fix the Xbox error code 0x8007000e. The Xbox error code 0x8007000e occurs when you attempt to sign in to your account on Xbox One or download or install a game on Xbox One console. When this error occurs while downloading ...

View more: Fix Xbox error code 0x8007000e

Ethernet cable internet speed limited to 100 Mbps

Today, most people tend to prefer using Wi-Fi as their primary means of connecting to the internet while at home. And there is nothing wrong with that since Wi-Fi is fast, but most importantly, it is convenient. However, it is still clear that connecting to the internet via an Ethernet ...

View more: Ethernet cable internet speed limited to 100 Mbps

Fix Remember password option missing in Outlook

When you try to add a new email account in Outlook, it displays a Remember password checkbox, which helps you save the password for future use. However, if the Remember password option is missing in Outlook, follow these solutions to get it back. It may involve using various in-built utilities and your ...

View more: Fix Remember password option missing in Outlook

How to find my DNS server on Windows 11/10 computer

In this post, we will show you how to find the DNS server on your Windows 11/10 computer. You may need to know your DNS server while setting up a new network for your computer. How to find DNS server on Windows computer You can find a DNS server on ...

View more: How to find my DNS server on Windows 11/10 computer

7 Reasons Your Computer Keeps Crashing

The top reasons for a computer crash include overheating, outdated hardware, memory shortages, corrupt drivers, and malware. The underlying causes could be any of the following hardware or software conditions. Look into them further if you’re encountering frequent crashes on your PC or laptop. Make sure your PC is ...

View more: 7 Reasons Your Computer Keeps Crashing

Summary of 9 effective and free mobile scanning software

WhatsApp Chat now in beta, functions as a help system for users

Microsoft Flight Simulator F-4 Phantom Gets New Screenshots; Fenix Airbus A320 Gets Development Update

Google Reportedly Concerned About Gaming on ChromeOS Suffering if Microsoft Acquires Activision Blizzard

Today in Apple history: A phone call sows the seeds of OS X

GTA 6’s Release Date Leaked By Microsoft’s Investigation Report

Download Opera GX Gaming Browser for PC & Mobile

Save 20% on every GameSir accessory including its new G7 Xbox Controller with extra buttons and customizable faceplates

Google and Microsoft buy more energy to make their data centers greener

Here's Where to Get PS5, Xbox and Nintendo Switch This Black Friday

7 Ways To Fix Marvel’s Spider-Man Remastered Crashing

How to Select Multiple Files on Windows

OTHER TECH NEWS

Top Car News Car News