Reports are emerging that a new zero-day exists in Microsoft Exchange and is being exploited in the wild, a well-known security researcher has warned.
Kevin Beaumont said in a series of tweets that he could confirm that a significant number of Exchange servers had been hijacked, including a honeypot.
He added that while Microsoft appeared to be aware of the new vulnerability, the company had yet to notify customers.
Beaumont pointed out a publication by a Vietnamese source named GTSC Cyber Security Company who said details of the vulnerability, noticed in August, were sent to Zero-Day Initiative who checked and acknowledged two bugs.
“However, so far GTSC has seen other customers also experience the same issue,” the report said. “After careful testing, we have confirmed that these systems were attacked using this 0-day vulnerability.
“To help the community temporarily stop the attack before an official patch from Microsoft is available, we are posting this article for organizations that use the Microsoft Exchange messaging system.”
iTWire has contacted Microsoft for its opinion on the matter.
I just made a sample of Shodan, and many orgs haven’t patched ProxyShell. The feats for this were pretty terrible, so if anyone did a good one, they’ll have a great time. pic.twitter.com/dFm0qM7QXy
— Kevin Beaumont (@GossiTheDog) September 29, 2022
The new vulnerability appears to resemble the ProxyShell default for which Microsoft has released updates in May and July Last year.
Beaumont pointed to a portion of the GTSC report that said, “While providing SOC service to a customer, GTSC Blueteam detected exploit requests in IIS logs with the same format as the ProxyShell vulnerability: autodiscover/autodiscover.json? @evil.com/
“Checking other logs as well, we saw that the attacker can run commands on the attacked system. The version number of these Exchange servers showed that the latest update had already been installed, so an exploit using Proxyshell vulnerability was impossible -> Blueteam analysts can confirm this was a new 0-day RCE vulnerability.
“This information was sent to Redteam, and Redteam members of GTSC conducted research to answer these questions: Why were the exploit requests similar to the ProxyShell bug? How is the RCE implemented?
“GTSC Redteam managed to figure out how to use the above path to access a component in the Exchange backend and perform RCE. However, at this time, we would like to NOT publish the technical details of the vulnerability at this time.”
One more – Trend Micro, owners of ZDI, has published a knowledgebase article, with detection signatures (for their products) for both ProxyShell and specifically for this ZDI vulnerability reference number.
— Kevin Beaumont (@GossiTheDog) September 29, 2022
Beaumont added that it’s not unusual for a significant number of Exchange servers to be backdoored because the patching process was such a mess, with people ending up on old updates. of content and not properly fixing ProxyShell.
“I guess there might be an additional vulnerability, but from the blog it looks like they are hitting it via ProxyShell, an old vulnerability (for which MS didn’t push the IIS rewrite module ),” he wrote.
“I suspect it may be a new _exploit_ rather than vulnerabilities, time will tell.
“Public ProxyShell exploits are terrible – for example, they hard-code knowing server names, email boxes, etc. – you can actually exploit them without those details.”
GET READY FOR XCONF AUSTRALIA 2022
Thoughtworks presents XConf Australia, back in person in three cities, bringing together people who care deeply about software and its impact on the world.
Now in its fifth year, XConf is our annual technology event created by technologists for technologists.
Participate in a robust discussion program as local thought leaders and Thoughtworks technologists share first-hand experiences and discuss new ways to empower teams, deliver great software, and drive innovation for technology responsible.
See how we at Thoughtworks are improving technology, together.
Tickets are available now and all proceeds will be donated to Indigitek, a non-profit organization that aims to create tech employment pathways for First Nations people.
Click the button below to register and get your ticket to the Melbourne, Sydney or Brisbane event
PROMOTE YOUR WEBINAR ON ITWIRE
It’s all about webinars.
Marketing budgets are now focused on webinars combined with lead generation.
If you want to promote a webinar, we recommend at least a 3-4 week campaign before your event.
The iTWire campaign will include numerous advertisements on our news site itwire.com and a major newsletter promotion https://itwire.com/itwire-update.html and promotional and editorial news. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in promotional posts on the iTWire homepage.
Now that we are coming out of Lockdown, iTWire will focus on supporting your webinars and campaigns and support through partial payments and extended terms, Webinar Business Booster pack and other support programs. We can also create your advertisements and written content and coordinate your video interview.
We look forward to discussing your campaign goals with you. Please click the button below.
MORE INFO HERE!