According to security researchers from Vietnamese cybersecurity organization GTSC, which first spotted and reported the attacks, threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs to allow remote code execution.
Attackers chain zero-day pairs to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as to side-step other systems on victims’ networks.
“This vulnerability is so critical that it allows an attacker to perform an RCE operation on a compromised system,” the researchers said. he said.
GTSC suspects that a Chinese threat group is responsible for attacks based on the web shells code page, Microsoft’s character encoding for Simplified Chinese.
The user agent used to install web shells also belongs to Antsword, a China-based open source website management tool with web shell management support.
Microsoft has not yet released any information about the two security flaws and has not yet assigned a CVE ID to track them.
The researchers reported the security vulnerabilities to Microsoft three weeks ago Zero Day Initiativewho follows ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts confirm the issues.
“GTSC has immediately submitted an opening to the Zero Day Initiative (ZDI) to work with Microsoft so that a patch can be developed as quickly as possible,” they said. “ZDI has confirmed and accepted 2 bugs with CVSS scores of 8.8 and 6.3.”
Trend Micro released a security advisory Thursday evening confirming that they have released two new Microsoft Exchange zero-day vulnerabilities discovered by GTSC to Microsoft.
The company has already added detections for these zero days to its IPS N-Platform, NX-Platform or TPS products.
There are reports that a new zero-day exists in Microsoft Exchange and is actively being used in the wild.
I can confirm that quite a few Exchange servers are backdoored, including the honeypot.
The thread to track the issue is:
— Kevin Beaumont (@GossiTheDog) September 29, 2022
GTSC has released very few details about these zero-day bugs. Still, its researchers found that the queries used in this exploit chain were similar to those used in targeted attacks. ProxyShell vulnerabilities.
The operation works in two stages:
- Requests with a similar format to the ProxyShell vulnerability: autodiscover/autodiscover.json?@evil.com/
&Email=autodiscover/autodiscover.json%3f@evil.com . - Using the link above to access the component in the backend where RCE can be implemented.
“The version number of these Exchange servers indicated that the latest update was already installed, so exploitation using the Proxyshell vulnerability was not possible,” the researchers said.
Temporary relief is available
Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation It will block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module:
- In FrontEnd, select the URL Rewriting tab in Autodiscover and then Request Blocking.
- add line “.*autodiscover\.json.*\@.*Powershell.*” to the URL path.
- Condition input: Select {REQUEST_URI}
“We strongly recommend that all organizations/enterprises using Microsoft Exchange Server worldwide check, review and implement the above temporary remedy as soon as possible to avoid potentially serious damage,” GTSC added.
Admins who want to verify that their Exchange servers have already been compromised using this exploit can run the following PowerShell command to scan the IIS log files for indicators of compromise:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200Microsoft and ZDI spokespeople were not immediately available for comment when contacted by BleepingComputer earlier today.
This is an evolving story.
Update 9/29/22 7:02 PM EST: Added information on Trend Micro’s advice for two zero days.
