Unpatched Microsoft Exchange Zero-Day actively exploited in the wild

Security researchers are warning of a new Microsoft Exchange zero-day that are being exploited by malicious actors in the wild.

Cybersecurity firm GTSC discovered two Microsoft Exchange zero-day vulnerabilities that are under active exploitation in attacks in the wild.

Both flaws were discovered by the researchers as part of an incident response activity in August 2022, they are remote code execution issues

The two vulnerabilities have yet to receive CVE identifiers, the company disclosed the issues via the Zero Day Initiative that tracked them as ZDI-CAN-18333 (CVSS score: 8.8) and ZDI-CAN-18802 (CVSS score: 6.3).

GTSC has observed other attacks against its customers exploiting the same vulnerabilities. The attacks allowed threat actors to create a foothold on the vulnerable system and gather information system. Successful exploitation of the issue allows attackers to establish a backdoor and perform lateral movements to other servers in the network.

“After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim’s system. The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system.” reads the advisory published by GTSC. “We detected webshells, mostly obfuscated, being dropped to Exchange servers. Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management.”

The researchers believe that the attacks were conducted by a Chinese threat actor because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.

GTSC Blueteam pointed out that the exploitation requests in IIS logs with the same format as ProxyShell vulnerability.

“The version number of these Exchange servers showed that the latest update had already installed, so an exploitation using Proxyshell vulnerability was impossible -> Blueteam analysts can confirm that it was a new 0-day RCE vulnerability.” continues the advisory.

The researchers also noticed that the attacker also changes the content of the legitimate Exchange file RedirSuiteServiceProxy.aspx to webshell content.

During the incident response process at another customer, the GTSC experts discovered that the threat actors dropped the China Chopper web shell, which is backdoor commonly used by China-linked APT groups.

In addition, the attackers also injected malicious DLLs into the memory, dropped suspicious files on the targeted servers, and executed them files using WMIC, which provides a command-line interface for Windows Management Instrumentation (WMI).

GTSC provides temporary mitigation to the exposure to attacks exploiting these zero-day issues, the company recommends adding a rule to block requests with indicators of attack through the URL Rewrite Rule module on IIS server.

To allow organizations to check if their Exchange Servers have been compromised by exploiting these flaws, GTSC released guideline and a tool to scan IIS log files (stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder ): 

• Method 1: Use powershell command:
• Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200
• Method 2: Use the tool developed by GTSC: Based on the exploit signature, we build a tool to search with much shorter time needed than using powershell. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner

The experts also shared Indicators of Compromise for these attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]