Threat actors exploit as-yet-undisclosed Microsoft Exchange zero-day bugs that allow remote code execution, according to claims by security researchers at GTSC, the Vietnamese cybersecurity team that first noticed and reported the attacks.
Attackers chain a zero-day pair to deploy Chinese Chopper webshells to compromised servers for persistence and data theft, as well as laterally switch to other systems in victims’ networks.
“The vulnerability is so critical that it allows an attacker to RCE on the compromised system,” the researchers wrote. aforementioned.
GTSC suspects a Chinese threat group is responsible for attacks based on the code page of web shells, a Microsoft character encoding for simplified Chinese.
The user agent used to install web shells is also owned by Antsword, a China-based open source website administrator tool with web shell management support.
So far, Microsoft has not disclosed any information about the two vulnerabilities and has yet to assign a CVE ID to track them.
Researchers privately reported the vulnerabilities to Microsoft three weeks ago. Zero Day Initiativefollowing them ZDI-CAN-18333 and ZDI-CAN-18802 after analysts confirm the issues.
“GTSC immediately submitted the vulnerability to the Zero Day Initiative (ZDI) to work with Microsoft so that a patch can be prepared as soon as possible,” they added. “ZDI has confirmed and confirmed 2 bugs with CVSS scores of 8.8 and 6.3.”
Trend Micro released a security advisory Thursday evening, confirming that it has submitted two new Microsoft Exchange zero-day vulnerabilities discovered by GTSC to Microsoft.
The company has already added detections for these zero-days to its IPS N-Platform, NX-Platform or TPS products.
There have been reports emerging that a new zero-day exists on Microsoft Exchange and is being actively exploited in the wild.
I can confirm that a significant number of Exchange servers are backdoored, including a honeypot.
Here’s the thread to follow up on the issue:
— Kevin Beaumont (@GossiTheDog) 29 September 2022
GTSC has released few details regarding these zero-day errors. Still, its researchers found that the requests used in this exploit chain were similar to those used in attacks targeting users. ProxyShell vulnerabilities.
The exploit works in two stages:
- Requests with a format similar to the ProxyShell vulnerability: autodiscover/autodiscover.json?@evil.com/
&Email=autodiscover/autodiscover.json%3f@evil.com . - Using the above link to access a component in the backend where RCE can be applied.
“The version number of these Exchange servers indicated that the latest update was already installed, so an exploit using the Proxyshell vulnerability was impossible,” the researchers said.
Temporary reduction available
Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary relief It blocks attack attempts by adding a new IIS server rule using the URL Rewrite Rule module:
- In FrontEnd Auto-Discovery, select the URL Rewrite tab and then Request Blocking.
- add string “.*autodiscover\.json.*\@.*Powershell.*” to URL Path.
- Condition entry: Select {REQUEST_URI}
GTSC, “We recommend that all organizations/businesses using Microsoft Exchange Server worldwide check, review and implement the above workaround as soon as possible to avoid potential serious harm.” said.
Administrators who want to check if Exchange servers have been compromised using this exploit can run the following PowerShell command to scan the IIS log files for indicators of security breaches:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200Microsoft and ZDI spokespersons were not immediately available for comment when contacted BleepingComputer earlier today.
This is a developing story.
Update 09/29/22 19:02 EST: Added information about Trend Micro’s recommendation for two zero days.
