Unpatched Microsoft Exchange Zero-Day Actively Exploited in the WildSecurity Cases


Security researchers warn of a new zero-day Microsoft Exchange that is being exploited by malicious actors in the wild.

Cybersecurity firm GTSC has discovered two Microsoft Exchange zero-day vulnerabilities that are being actively exploited in attacks in the wild.

Both flaws were discovered by researchers during incident response activity in August 2022, they are remote code execution issues

Both vulnerabilities have not yet received CVE identifiers, the company disclosed the issues through the Zero Day initiative which tracked them as ZDI-CAN-18333 (CVSS score: 8.8) and ZDI-CAN-18802 (CVSS score: 6.3).

GTSC has observed other attacks against its customers exploiting the same vulnerabilities. The attacks allowed threat actors to gain a foothold on the vulnerable system and gather information about the system. Successful exploitation of the issue allows attackers to establish a backdoor and perform lateral moves to other servers in the network.

“After successfully mastering the exploit, we recorded attacks to gather information and gain a foothold in the victim’s system. The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system. read it advisory edited by GTSC. “We detected webshells, mostly obfuscated, dropped on Exchange servers. Using the user agent, we detected that the attacker is using Antsword, an active China-based cross-platform open-source website administration tool that supports webshell management.

Researchers believe the attacks were carried out by a Chinese threat actor because the Webshell code page is 936, which is a Microsoft character encoding for Simplified Chinese.

GTSC Blueteam specifies that the exploitation requests in the IIS logs in the same format as ProxyShell vulnerability.

“The version number of these Exchange servers indicated that the latest update was already installed, therefore an exploitation using the Proxyshell vulnerability was impossible -> Blueteam analysts can confirm that this is a new RCE 0 vulnerability -day.” continues the advice.

The researchers also noticed that the attacker also modifies the content of the legitimate Exchange file RedirSuiteServiceProxy.aspx into Webshell content.

During the incident response process at another client, GTSC experts discovered that the threat actors had abandoned the China Chopper web shell, which is a backdoor commonly used by China-related APT groups.

Furthermore, the attackers also injected malicious DLLs into memory, dropped suspicious files on the targeted servers, and executed those files using WMICwhich provides a command-line interface for Windows Management Instrumentation (WMI).

GTSC provides temporary mitigation of exposure to attacks exploiting these zero-day issues, the company recommends adding a rule to block requests with attack indicators through the URL Rewrite Rule module on the IIS server.

To allow organizations to check whether their Exchange servers have been compromised by exploiting these vulnerabilities, GTSC has released a guideline and tool to analyze IIS log files (stored by default in the %SystemDrive%inetpublogsLogFiles folder):

  • Method 1: Use the powershell command:
  • Get-ChildItem -Recurse -Path -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover.json.*@.*200
  • Method 2: Use the tool developed by GTSC : Based on the exploit signature, we build a search tool with a much shorter time required than using powershell. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner

Experts have also shared indicators of compromise for these attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Microsoft Exchange zero-day)

Share on


Comments are closed.