New Microsoft Exchange zero-days reportedly exploited in attacks

Microsoft Exchange

Threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution, according to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks.

The attackers are chaining the pair of zero-days to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims’ networks.

“The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,” the researchers said.

GTSC suspects that a Chinese threat group is responsible for the attacks based on the web shells’ code page, a Microsoft character encoding for simplified Chinese.

The user agent used to install the web shells also belongs to Antsword, a Chinese-based open-source website admin tool with web shell management support.

Microsoft hasn’t disclosed any information regarding the two security flaws so far and is yet to assign a CVE ID to track them.

The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.

“GTSC submitted the vulnerability to the Zero Day Initiative (ZDI) right away to work with Microsoft so that a patch could be prepared as soon as possible,” they added. “ZDI verified and acknowledged 2 bugs, whose CVSS scores are 8.8 and 6.3.”

GTSC has released very few details regarding these zero-day bugs. Still, its researchers did reveal that the requests used in this exploit chain are similar to those used in attacks targeting the ProxyShell vulnerabilities.

The exploit works in two stages:

  1. Requests with a similar format to the ProxyShell vulnerability: autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com.
  2. The use of the link above to access a component in the backend where the RCE could be implemented.

“The version number of these Exchange servers showed that the latest update had already installed, so an exploitation using Proxyshell vulnerability was impossible,” the researchers said.

Temporary mitigation available

Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module:

  1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
  2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
  3. Condition input: Choose {REQUEST_URI}

“We recommend all organizations/enterprises around the world that are using Microsoft Exchange Server to check, review, and apply the above temporary remedy as soon as possible to avoid potential serious damages,” GTSC added.

Admins who want to check if their Exchange servers have already been compromised using this exploit can run the following PowerShell command to scan IIS log files for indicators of compromise:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200

Microsoft and ZDI spokespersons were not immediately available for comment when contacted by BleepingComputer earlier today.