Researchers at Vietnamese cybersecurity firm GTSC reported an increase in Microsoft Exchange zero-day exploits by hackers. The vulnerability allegedly allowed hackers to run remote code execution using a chain of exploits to deploy Chinese Chopper web shells on compromised servers. As per the report, the exploit can be used in data theft and spying on other systems on the victim’s networks.
Microsoft Exchange is a mail server and a calendaring system server that runs on Windows server operating systems. The exploit takes advantage of an unspecified vulnerability that allows hackers to perform RCE, wherein a hacker can execute malicious code on a computer remotely. An RCE attack can range from a remote malware execution to completely controlling a compromised system.
GTSC explains Microsoft Exchange zero-day exploit
According to a report shared by the cybersecurity firm on September 28, 2022, Microsoft Exchange zero-day exploit enables the threat actors to install web shell management on the victim devices. The tool for remotely accessing the victims’ devices/servers belonged to Anstword, a Chinese open-source admin tool for websites with web shell management support. The researcher suspects that a Chinese threat group might be responsible for exploiting the vulnerability.
Trend Micro, a Japanese multinational cyber security software company, released a security advisory after confirming the two new Microsoft Exchange zero-day vulnerabilities the Vietnamese cybersecurity firm discovered. GTSC reported the vulnerability to Microsoft three weeks ago and tracked them as ZDI-CAN-18333 and ZDI-CAN-18802. The vulnerability is yet to be addressed by Microsoft, and assigned a CVE ID to track it.
GTSC analyzes Microsoft Exchange zero-day exploit
The researchers collected a sample from the attempted exploit and analyzed the malware used by the threat actors. The sample named 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 had a malicious code in it, and the other samples also had similar tasks and behaviors which were directed towards executing a DLL (Dynamic-link library) file onto the victim’s computer.
https://twitter.com/GossiTheDog/status/1575580072961982464
The security company detected that the DLL file was injected into the memory of the svchost.exe process as it made a connection to send and receive data to the address 137[.]184[.]67[.]33. As a result, a new key would be generated at runtime once the data traveled with C2 using the RC4 encryption algorithm.
Temporary mitigation for Microsoft Exchange zero-day exploit
The cybersecurity firm shared a temporary mitigation technique that could block hacking attempts to exploit the Microsoft Exchange vulnerability. Since only one organization has been a victim of the vulnerability exploit, there are chances that the threat actors will target more organizations soon. The following techniques can add a new IIS server rule using the URL Rewrite Rule module. Here’s how to do that:
- In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
- Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
- Condition input: Choose {REQUEST_URI}
Moreover, GTSC has denoted two methods for checking if an organization has been compromised via the Microsoft Exchange zero-day vulnerability. The company has also released a tool to scan the IIS log files.
Method A
Use powershell command: Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200
Method B
Download and install the tool developed by GTSC via the link: https://github.com/ncsgroupvn/NCSE0Scanner