CyFlare SOC Advisory – Microsoft Exchange Zero-Day
Incident Report for CyFlare
We are continuing to monitor for any further issues.
Posted Oct 05, 2022 - 13:51 EDT
Posted Date: 9/30/2022
Published Date:
Source(s): GTSC, Microsoft Security Response Center
Sector: Security Vulnerability
Reported by: GTSC
Date(s) Issued:
Subject: Security researchers from GTSC Network Security firm have found a new zero-day vulnerability in Microsoft Exchange Server which is exploiting in wild.
OVERVIEW: Security Researchers from GTSC Network Security discovered a critical vulnerability on Microsoft Exchange Servers that can be exploited by malicious actors to execute code remotely (RCE) on the compromised system
• Microsoft Exchange Server 2013, 2016, 2019

Anyone who is currently using the Microsoft Exchange Servers listed
On September 29, 2022, a blog was released by GTSC outlining a new attack campaign that has been observed utilizing two yet undisclosed vulnerabilities (0-day) that were submitted to Microsoft via Trend Micro's Zero Day Initiative : ZDI-CAN-18333 (CVSS 8.8) and ZDI-CAN-18802 (CVSS 6.3), which could allow an attacker to the ability to perform remote code execution (RCE) on affected Microsoft Exchange servers.
At this time, GTSC has no released any technical details regarding this new zero-day vulnerability, Microsoft is aware of these vulnerabilities however there is currently no patch for this exploit

To help organizations check if their Exchange Servers have been exploited by this 0day vulnerability, you can use the following PowerShell command to scan IIS log files: ”Get-ChildItem -Recurse -Path -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200”

The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.
• Open the IIS Manager.
• Expand the Default Web Site.
• Select Autodiscover.
• In the Feature View, click URL Rewrite.
• In the Actions pane on the right-hand side, click Add Rules.
• Select Request Blocking and click OK.
• Add String “.*autodiscover\.json.*Powershell.*” (excluding quotes) and click OK.
• Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
• Change the condition input from {URL} to {REQUEST_URI}

Blocking the following ports used for Remote PowerShell can also help limit these attacks
• HTTP: 5985
• HTTPS: 5986

Indicators of Compromise:
File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File Name: Xml.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx

Filename: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx

CyFlare Actions Taken:
• Stellar Cyber – BDS: The SOC is actively monitoring updates and working to create queries/ATH rules regarding the indicators of compromise as they’re released.
• AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community.

Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.
Reference Links:

Should you have any questions or concerns please place a ticket with the SOC using or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC
Posted Sep 30, 2022 - 11:34 EDT
This incident affects: Breach Detection Service.