Researchers at a Vietnamese security company called GTSC said that Chinese hackers are exploiting two zero-day bugs in Microsoft’s Exchange servers, leading to an RCE attack.

These are ProxyShell vulnerabilities that Microsoft didn’t acknowledge yet, so a tracking CVE ID isn’t set. Meanwhile, the researchers who spotted them shared with Microsoft for an official patch and also gave a temporary workaround for the system admins until then.

RCE Bug in Exchange Servers

Since earlier this year, Microsoft Exchange Servers have been some of the frequently targeted systems due to them having a number of zero-day vulnerabilities. Lately, we have seen two zero-day bugs reported by GTSC – a Vietnamese security company that shared its findings with Microsoft through its Zero Day Initiative.

As per it, the Exchange Servers are infested with two zero-day bugs – concerning the ProxyShell – and leading to a remote code execution attack. Researchers noted active exploitations against these and linked them to a Chinese group citing the web shells and user agents they’re using in the process.

They further detailed that the hackers are chaining the pair of zero-days to deploy their Chopper web shells on compromised servers – to gain persistence and data theft and even move laterally to other systems in the victims’ networks.

Though they shared these findings with Microsoft three weeks ago, the company is yet to acknowledge and come up with a patch. Until then, GTSC has assigned a tracking ID as ZDI-CAN-18333 and ZDI-CAN-18802 to the two vulnerabilities, with severity scores of 8.8 and 6.3, respectively.

Soon after their disclosure, TrendMicro confirmed the submission through a security advisory and added detections for these zero-days to its IPS N-Platform, NX-Platform, or TPS products.

Until Microsoft come up with a suitable patch update, GTSC shared temporary mitigation for the Exchange Servers admins, as follows;

  1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
  2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
  3. Condition input: Choose {REQUEST_URI}

If you’re a system admin and want to check if your server was compromised by these bugs, try the following PowerShell command to scan the IIS log files;

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200


Please enter your comment!
Please enter your name here