Microsoft Exchange is Back in News and This Time with a Zero-Day Bug

Summary:

While performing a security investigation, researchers at Vietnamese cybersecurity firm GTSC identified that threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs to execute remote code.

How it Works?

According the GTSC’s report named “WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER“, it is mentioned that while providing SOC service to a customer, GTSC Blueteam detected exploit requests in IIS logs with the same format as ProxyShell vulnerability: autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com. Also checking other logs, they saw that the attacker can execute commands on the attacked system. The version number of these Exchange servers showed that the latest update had already been installed, so exploitation using Proxyshell vulnerability was impossible which led blue team analysts to confirm that it was a new 0-day RCE vulnerability. This information was sent to the Red team, and GTSC’s Red team members researched to answer these questions:

• Why were the exploit requests similar to those of the ProxyShell bug?
• How is the RCE implemented?

Later, the GTSC Red team successfully figured out how to use the above path to access a component in the Exchange backend and perform RCE. However, at this time, GTSC team was NOT intending to release technical details of the vulnerability yet.

Post Exploitation:

In addition to deploying Chinese Chopper web shells on compromised systems, the attackers are moving laterally to other systems on the victim’s network to steal data and persist.

According to GTSC, the attacks were conducted by a Chinese threat group using the Microsoft character encoding for simplified Chinese used in the web shell code page.

Web shells are also installed by Antsword, a Chinese-based web shell management tool available as an open-source download.

Microsoft’s Reaction

Researchers notified Microsoft three weeks ago about the security vulnerabilities through its Zero Day Initiative, which tracks the vulnerabilities as ZDI-CAN-18333 and ZDI-CAN-18802.

As of now, Microsoft has not disclosed any information regarding these security flaws or assigned a CVE ID to them.

How NetSecurity Can Help You Protect From Cyber Attacks?

Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its cloud-based machine learning threat detection engine and its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).