Security Vulnerability: Microsoft Exchange Server Zero-Day Exploit and Recommended Action

GBS would like to bring attention to a recent Microsoft Exchange security vulnerability and recommend initial action steps.

Microsoft Exchange Server zero-day exploits that allow remote code execution were recently identified by cybersecurity firm GTSC. Attackers install Chinese Chopper web shells on compromised servers and steal data. This allows them to get onto other systems across the networks of their attack targets.

It is not yet clear when Microsoft will provide a patch for the two vulnerabilities, but it is possible that they could be delivered as part of the Patch Tuesday updates on October 11, 2022.

In the meantime, anyone using Exchange Server can make the following changes to IIS:

• Open IIS Manager
• Select default website
• In the Features view, click URL Rewrite
• In the Actions section on the right, click Add Rule(s)….
• Select Request Blocking and click OK
• Add the string “.*autodiscover\.json.*Powershell.*” (without quotation marks)
• Select Regular Expression under Using
• Select Abort Request under How to block and then click OK
• Expand the rule and select the rule with the pattern: .*autodiscover\.json.*Powershell.* and click Edit under Conditions
• Change the condition input from {URL} to {REQUEST_URI}.

You can also use this PowerShell command to check if your Exchange servers have been compromised with this exploit:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’

We hope for a prompt response from Microsoft to resolve the issue.

Sources:

https://www.bleepingcomputer.com/news/security/new-microsoft-exchange-zero-days-actively-exploited-in-attacks/amp/

https://www.darkreading.com/remote-workforce/microsoft-updates-mitigation-for-exchange-server-zero-days