New unpatched Microsoft Exchange Zero-Day under active exploitation


Security researchers warn of previously undisclosed flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to obtain remote code execution on affected systems.

That’s according to Vietnamese cybersecurity firm GTSC, which discovered the shortcomings as part of its security monitoring and incident response efforts in August 2022.

Both vulnerabilities, to which CVE identifiers have not yet been officially assigned, are being tracked by the Zero Day Initiative as ZDI-CAN-18333 (CVSS score: 8.8) and ZDI-CAN-18802 (CVSS rating: 6.3).

GTSC said successful exploitation of the flaws could be abused to gain a foothold in the victim’s systems, allowing adversaries to drop web shells and perform lateral movements on the compromised network.

cyber security

“We detected webshells, mostly obfuscated, dropped on Exchange servers,” the company noted. “Using the user agent, we detected that the attacker is using Antsword, an active China-based open-source cross-platform website administration tool that supports web shell management.”

Exploit claims in IIS logs would appear in the same format as ProxyShell Exchange Server vulnerabilities, with GTSC noting that the targeted servers had already been patched against flaws disclosed in March 2021.

The cybersecurity firm speculated that the attacks likely originated from a Chinese hacking group due to the web shell’s encoding in Simplified Chinese (Windows Code page 936).

Also deployed in attacks is the China Chopper web shell, a lightweight backdoor that can grant persistent remote access and allow attackers to reconnect at any time for further exploitation.

Microsoft Exchange Zero-Day

It should be noted that the China Chopper web shell was also deployed by Hafnium, an alleged state-sponsored group operating outside of China, when ProxyShell vulnerabilities were widely exploited last year.

Other post-exploitation activities observed by GTSC involve injecting malicious DLLs into memory, dropping and executing additional payloads on infected servers using the WMI command-line utility ( WMIC).

The company said that at least more than one organization fell victim to a campaign of attacks exploiting zero-day flaws. Additional bug details have been withheld in light of active exploitation.

We’ve reached out to Microsoft for further comment, and we’ll update the story if we hear back.

cyber security

In the meantime, as temporary workarounds, it is recommended to add a rule to block requests with indicators of compromise using the URL Rewrite Rule module for IIS servers –

  • In Autodiscover at FrontEnd, select the URL Rewrite tab, then select Request Blocking
  • Add the string “.*autodiscover.json.*@.*Powershell.*” to the URL path, and
  • Condition entry: choose {REQUEST_URI}

“I can confirm that a significant number of Exchange servers were backdoored, including a honeypot,” security researcher Kevin Beaumont said in a series of tweets, adding that “it looks like again to a variation of the proxy to the administration interface”.

“If you’re not running Microsoft Exchange on-premises and you don’t have Internet-facing Outlook Web App, you’re not affected,” Beaumont said.


About Author

Comments are closed.