What can happen when you don’t patch your software? Hackers, that’s what. Attackers are stealing data from millions and millions of users on unpatched Microsoft Exchange servers.
The attackers are deploying Chinese Chopper web shells on the victim’s compromised servers to gain persistent access. In addition, they are moving laterally within the victim’s network in order to steal data and carry out other nefarious activities.
“The vulnerability turns out to be so critical that it allows the attacker to do remote code execution on the compromised system,” the researchers said.
Typosquat campaign mimics 27 brands to push Windows, Android malware.
The company believes that a Chinese threat group is behind the attack based on the web shells’ code page and the Microsoft character encoding for simplified Chinese.
Websites can be hacked in multiple ways, including web shells. Antsword has developed an open-source website admin tool that supports the use of web shells for your business.
Microsoft has yet to disclose information about the two security flaws. They have yet to assign a CVE ID to track them and are waiting for more information from company’s partners first.
The researchers reported the security vulnerabilities to Microsoft privately three weeks ago, which were ZDI-CAN-18333 and ZDI-CAN-18802. The latter was validated by our team after its analysis.
The most recent announcement comes after the company announced on Friday it had submitted all of its vulnerabilities to Microsoft for a fix. On Tuesday, the company announced two vulnerabilities and one of them has an 8.8 CVSS score.
Trend Micro released a security advisory that confirmed they submitted two new vulnerabilities in Microsoft Exchange to Microsoft, who then patched them.
The company has already added detection for these zero-day attacks to its IPS N-Platform, NX-Platform, or TPS products.
GTSC has released very few details about the zero-day bugs. But, its researchers did say that the exploits were similar to those used in attacks targeting the .ProxyShell vulnerabilities.
The exploit works in two stages:
When clicking the Request button, some users or tests have been sending malicious requests with a similar format to the ProxyShell vulnerability.
If you would like to start using the link above, follow these steps to access the component in the backend where we could implement the Rewrite Engine.
“The version number of these Exchange servers showed that the latest update already had been installed,” researchers said. “So an exploit using Proxyshell is impossible.”
Temporary mitigation is available
Microsoft hasn’t yet released security updates that address the two zero-day vulnerabilities, so GTSC shared a temporary solution with their partners. The GTSC website came up with a way for partners to block attack attempts by adding a new IIS server rule using URL Rewrite, which is currently the only mitigation workaround.
To reroute your client’s URLs in Autodiscover at FrontEnd, select tab URL Rewrite and then Request Blocking.
In order to get the session back, you must add string “.autodiscover.json.@.Powershell.” to the URL Path.
Condition input:
Choose your request type!
We recommend that organizations/enterprises around the world make sure that they have applied Microsoft Exchange Server’s temporary fix as soon as possible. Doing so will avoid potential significant damages.
To check if your Exchange servers have already been compromised by this exploit, you can run the following PowerShell command:
Instead of typing out this complicated command, simply use the Get-ChildItem cmdlet. By invoking it with -Recurse, you can view all IIS log files on a local system or specified file share and filter for powershell.autodiscover.json.@.*200 strings.
BleepingComputer reached out to Microsoft and ZDI spokespersons as soon as they could. Unfortunately, no one was available when we first contacted them.
