Microsoft Exchange - Zero-day - Septembre 2022

Microsoft Exchange – New zero-day vulnerabilities exploited!

Security researchers from GTSC say hackers are exploiting two zero-day flaws in Microsoft Exchange to remotely execute code on the targeted mail server. These flaws, which have not been corrected to date, represent a real danger. Let’s do a check in.

These security flaws are considered critical, because the joint use of these two vulnerabilities allows remote code execution on the Microsoft Exchange server (in particular if it is exposed on the Internet), which allows the deployment of a web-shell. Then, it’s the door open to other actions: data theft, lateral movements, etc. For exploitation, obviously it would be the same type of requests as with ProxyShellone of the worst vulnerabilities of 2021.

According to the GTSC company, a group of Chinese cybercriminals is believed to be behind these attacks. Why ? Well, the user-agent used to install the web shells refers to Antsword, an open source security tool from China, and the web shells page uses Microsoft’s encoding for Simplified Chinese.

Three weeks ago, researchers privately reported these security flaws to Microsoft through the Zero Day Initiative. These vulnerabilities are very real and the Zero Day Initiative is following up with references ZDI-CAN-18333 and ZDI-CAN-18802. They inherit the following CVSS scores: 8.8 out of 10 and 6.3 out of 10. For now, Microsoft did not disclose any information regarding these two security vulnerabilities.and there are no CVE references yet.

How to protect your Exchange server?

On the side of Trend Micro, there has already been an update of the intrusion detection tools N-Platform, NX-Platform, and TPS to detect attempts to exploit these new zero-day vulnerabilities.

Although there are not many technical details available at the moment, it is known that the exploitation is carried out through a request such as “autodiscover/[email protected]/&Email=autodiscover/autodiscover.json%[email protected].”, including on a fully up-to-date Microsoft Exchange server.

While waiting for a patch from Microsoft, here is the solution proposed by the company GTSC to block attempted attacks by adapting the configuration of the IIS server.

1 – On the frontend Autodiscover server, open the IIS consolego to the module URL Rewrite et Request Blocking (blocking requests).

2 – Add the string “.*autodiscover\.json.*\@.*Powershell.*” for URL path

3 – Choose the following input condition: {REQUEST_URI}

If you use Microsoft Exchange, it is recommended that you implement this protective measure as soon as possible.

Finally, for administrators who want to check if their Exchange server has already been compromised, here is the PowerShell command to run (specifying the path to the IIS logs, which by default is “%SystemDrive%\inetpub\logs\LogFiles”) :

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200

This makes it possible to analyze the IIS logs in search of a malicious request which would be the sign of an attempt at exploitation.


Logiciel – OS,Sécurité,Exchange,Microsoft,Zero Day,

#Microsoft #Exchange #zeroday #vulnerabilities #exploited

Leave a Comment

Your email address will not be published. Required fields are marked *