Distributed Workforce, Threat Management, Breach

New Microsoft Exchange zero-day actively exploited, security firm says

The Microsoft logo is displayed on a building
The Microsoft logo is displayed outside the Microsoft Technology Center near Times Square, June 4, 2018, in New York City. (Photo by Drew Angerer/Getty Images)

Vietnamese security firm GTSC warned of an attack campaign using a new zero-day affecting Microsoft Exchange servers that can lead to remote code execution.

GTSC's SOC team detailed the unpublished Exchange vulnerability and its temporary containment plan in a blog post on Thursday to help others stop the attack before an official patch is available from Microsoft, it explained.

The SOC first saw the vulnerability making exploit requests in IIS logs with the same format as the ProxyShell vulnerability while servicing a customer in August. While the firm contacted the Zero Day Initiative soon after discovering the zero-day so Microsoft could prepare a patch as soon as possible, it has seen other customers falling victim to the vulnerability. ZDI has verified the vulnerability and acknowledged two bugs that have CVSS scores of 8.8 and 6.3, GTSC wrote.

GTSC's red team determined how to use the vulnerability to access a component in Exchange's back-end and perform an RCE, but it did not release those technical details. It did, however, say the exploit recorded attacks to collect information and create a foothold in victim systems.

The SOC team said it suspects the attacks come from a Chinese group because the web shell code comes from a Microsoft character encoding for simplified Chinese.

"We detected webshells, mostly obfuscated, being dropped to Exchange servers. Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management."

The GTSC team also noted that every command ends with a string that is one of the signatures of the Chinese Chopper web shell, as well as malicious DLLs being injected into the memory.

The security firm offered a temporary remedy to reduce vulnerability to the attack by adding a rule to block requests with indicators of the attack through the URL Rewrite Rule module on IIS server:

  1. In Autodiscover at FrontEnd select tab URL Rewrite, select Request Blocking
  2. Add string “.autodiscover.json.\@.Powershell.“ to the URL Path
  3. Condition input: Choose {REQUEST_URI}

GTSC released guidelines and a tool to scan IIS log files, as well as Indicators of Compromise for the zero-day. For more details about the Exchange vulnerability, visit GTSC's blog post here.

"We recommend all organizations/enterprises around the world that are using Microsoft Exchange Server to check, review, and apply the above temporary remedy as soon as possible to avoid potential serious damages."

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.