Microsoft announced Friday that it has made more improvements to the mitigation method to address the newly disclosed unpatched security flaws in Exchange Server.
In order to prevent this misuse, the tech giant has changed the blocking rule from “.autodiscover.json.Powershell.” to “(?=.autodiscover.json)(?=.*powershell)”
Cybersecurity
In order to add the URL Rewrite rule, your list of updated steps is below.
Open the IIS Manager
Select a site
In the Feature View, click the “Rewrite URLs” button.
In the Actions pane on the right-hand side, click Add Rule(s) , and then scroll down to find the Matching Content Rule Editor.
Enable analytics
Add the string “(?=.autodiscover.json)(?=.powershell)” (excluding quotes)
Select Regular Expression under Advanced Options
Select No Access under How to block, and then click OK
Expand the rule and select the rule with the pattern: ?=.*autodiscover.json and click Edit under Conditions.
Change the Condition input to {UrlDecode:{REQUEST_URI}} in order to submit a URL.
Or alternatively, users can achieve the desired protections by executing a PowerShell-based Exchange On-premises Mitigation Tool (EOMTv2.ps1), which has also been updated to take into account the aforementioned URL pattern.
Cybersecurity
Microsoft has updated their monthly activity report with the actively-exploited issues known as CVE-2022-41040 and CVE-2022-41082. These issues have not yet been addressed by Microsoft, though it may be possible to address them in Patch Tuesday, which is right around the corner.
Successfully using a vulnerability in order to achieve remote code execution is called weaponization. This type of vulnerability could be very valuable if taken advantage of in the right context.
A tech company last week admitted that shortcomings may have been abused by a state-sponsored threat actor. They were targeted less than 10 times over the period of one month.
Microsoft issued a new statement that has been put into action to fix the exploit by adding “(?=.autodiscover)(?=.powershell)” to shut down IIS using PowerShell and successfully blocking IIS exploit attempts.
Don’t want to miss any of our weekly blog posts or articles? Follow us on Facebook, Twitter, and LinkedIn! You’ll never miss out on our content again.