We are continuing to monitor for any further issues.
Posted Oct 05, 2022 - 13:51 EDT
Monitoring
Posted Date: 9/30/2022 Published Date: Source(s): GTSC, Microsoft Security Response Center Sector: Security Vulnerability Reported by: GTSC Date(s) Issued: Subject: Security researchers from GTSC Network Security firm have found a new zero-day vulnerability in Microsoft Exchange Server which is exploiting in wild. OVERVIEW: Security Researchers from GTSC Network Security discovered a critical vulnerability on Microsoft Exchange Servers that can be exploited by malicious actors to execute code remotely (RCE) on the compromised system SYSTEMS AFFECTED: • Microsoft Exchange Server 2013, 2016, 2019
RISK: Anyone who is currently using the Microsoft Exchange Servers listed THREAT SUMMARY: On September 29, 2022, a blog was released by GTSC outlining a new attack campaign that has been observed utilizing two yet undisclosed vulnerabilities (0-day) that were submitted to Microsoft via Trend Micro's Zero Day Initiative : ZDI-CAN-18333 (CVSS 8.8) and ZDI-CAN-18802 (CVSS 6.3), which could allow an attacker to the ability to perform remote code execution (RCE) on affected Microsoft Exchange servers. At this time, GTSC has no released any technical details regarding this new zero-day vulnerability, Microsoft is aware of these vulnerabilities however there is currently no patch for this exploit
Detection: To help organizations check if their Exchange Servers have been exploited by this 0day vulnerability, you can use the following PowerShell command to scan IIS log files: ”Get-ChildItem -Recurse -Path -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200”
Mitigations: The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. • Open the IIS Manager. • Expand the Default Web Site. • Select Autodiscover. • In the Feature View, click URL Rewrite. • In the Actions pane on the right-hand side, click Add Rules. • Select Request Blocking and click OK. • Add String “.*autodiscover\.json.*Powershell.*” (excluding quotes) and click OK. • Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions. • Change the condition input from {URL} to {REQUEST_URI}
Blocking the following ports used for Remote PowerShell can also help limit these attacks • HTTP: 5985 • HTTPS: 5986
CyFlare Actions Taken: • Stellar Cyber – BDS: The SOC is actively monitoring updates and working to create queries/ATH rules regarding the indicators of compromise as they’re released. • AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community.
Developing Situation: The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service. Reference Links: