Security researchers warn that attackers are currently exploiting two zero-day vulnerabilities in Microsoft Exchange Server. Security updates are not yet available. But there is an alternative.
Malicious Code Attacks
Security researchers from GTSC encountered the attacks. They summarized their findings in a report. According to them, attackers from the Chinese environment must successfully attack the Exchange Server and nest in the systems through backdoors. After successful attacks, malicious code can be executed. In addition, the developed site serves as a starting point for spreading to other systems.
Meanwhile, other security researchers, including Trend Micro’s Zero Day Initiative (ZDI), have confirmed the vulnerabilities and attacks. Microsoft has not yet taken a stand.
Details of the vulnerabilities are not available yet. CVE numbers are not set at this time. ZDI rates the vulnerabilities with CVSS score of 8.8 (ZDI-CAN-18333 and 6.3 (ZDI-CAN-18802) The attacks are expected to occur in the summer of 2021, similar to those with ProxyShell.
Updates
09/30/2022
09:44
hour
According to security researchers, the documented attacks occurred on fully patched systems against ProxyShell.
secure servers
It is still unclear when the security patches will appear. In order to protect the systems now, GTSC security researchers have developed a temporary solution to block requests to initiate the attack. To do this, administrators must create a request block rule with the content under Autodiscover on the Rewrite URL tab
.*autodiscover\.json.*\@.*Powershell.*
Create the URL path. As a conditional entry, you must {REQUEST_URI} Choose.
Administrators can use the following PowerShell command to check if servers have already been compromised.
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
(From)
