Zero-Day Attacks on Microsoft Exchange Server – Security Patches Are Missing

Zero-Day Attacks on Microsoft Exchange Server - Security Patches Are Missing

Security researchers warn that attackers are currently exploiting two zero-day vulnerabilities in Microsoft Exchange Server. Security updates are not yet available. But there is an alternative.

Security researchers from GTSC encountered the attacks. They summarized their findings in a report. According to them, attackers from the Chinese environment must successfully attack the Exchange Server and nest in the systems through backdoors. After successful attacks, malicious code can be executed. In addition, the developed site serves as a starting point for spreading to other systems.

Meanwhile, other security researchers, including Trend Micro’s Zero Day Initiative (ZDI), have confirmed the vulnerabilities and attacks. Microsoft has not yet taken a stand.

Details of the vulnerabilities are not available yet. CVE numbers are not set at this time. ZDI rates the vulnerabilities with CVSS score of 8.8 (ZDI-CAN-18333 and 6.3 (ZDI-CAN-18802) The attacks are expected to occur in the summer of 2021, similar to those with ProxyShell.

Updates

09/30/2022

09:44

hour

According to security researchers, the documented attacks occurred on fully patched systems against ProxyShell.

It is still unclear when the security patches will appear. In order to protect the systems now, GTSC security researchers have developed a temporary solution to block requests to initiate the attack. To do this, administrators must create a request block rule with the content under Autodiscover on the Rewrite URL tab

.*autodiscover\.json.*\@.*Powershell.*

Create the URL path. As a conditional entry, you must {REQUEST_URI} Choose.

See also  These are profiles and salaries

Administrators can use the following PowerShell command to check if servers have already been compromised.

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'


(From)

to the home page

Leave a Reply

Your email address will not be published.