UPDATE
Microsoft add updates: The tech giant has revised the blocking rule in IIS Manager from “.*autodiscover\.json.*Powershell.*” to “(?=.*autodiscover\.json)(?=.*powershell).”
Also , Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK
On Thursday, September 29, a Vietnamese security firm called GTSC published information and IOCs on what they claim is a pair of unpatched Microsoft Exchange Server vulnerabilities being used in attacks on their customers
The undisclosed vulnerabilities (0-day) was submitted to Microsoft via Trend Micro’s Zero Day Initiative : ZDI-CAN-18333 (CVSS 8.8) and ZDI-CAN-18802 (CVSS 6.3), which could allow an attacker to the ability to perform remote code execution (RCE) on on affected Microsoft Exchange servers.
Within the interim, as Temporary workarounds, it is advisable so as to add a rule to dam requests with indicators of compromise utilizing the URL Rewrite Rule module for IIS servers –
In Autodiscover at FrontEnd select tab URL Rewrite, select Request Blocking
– Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path:
– Condition input: Choose {REQUEST_URI}
The recommendation for all organizations that are using Microsoft Exchange Server to check (Test in Non Prod), review, and apply the above temporary remedy as soon as possible to avoid potential serious damages.
Check for compromise
based on : Exchange Server servers attacked via 0-day exploit (Sept. 29, 2022) | Born’s Tech and Windows World (borncity.com) :
To check if an Exchange Server has already been affected by an attack, GTSC has published a guide and tool for scanning IIS log files (stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder):
Methode 1: Use the Powershell command:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200Methode 2: Use the tool developed by the GTSC.
Based on the exploit signature, the GTSC folks have created a tool that takes a much shorter search time than powershell. The tool can be downloaded from GitHub. In the article, the GTSC security researchers have also provided some Indicators of Compromise (IOCs) that can be used to identify an infection:
Webshell:
File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
File Name: Xml.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx
Filename: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx
DLL:
File name: Dll.dll
SHA256:
074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
File name: 180000000.dll (Dump từ tiến trình Svchost.exe)
SHA256: 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
IP:
125[.]212[.]220[.]48
5[.]180[.]61[.]17
47[.]242[.]39[.]92
61[.]244[.]94[.]85
86[.]48[.]6[.]69
86[.]48[.]12[.]64
94[.]140[.]8[.]48
94[.]140[.]8[.]113
103[.]9[.]76[.]208
103[.]9[.]76[.]211
104[.]244[.]79[.]6
112[.]118[.]48[.]186
122[.]155[.]174[.]188
125[.]212[.]241[.]134
185[.]220[.]101[.]182
194[.]150[.]167[.]88
212[.]119[.]34[.]11
URL:
hxxp://206[.]188[.]196[.]77:8080/themes.aspx
C2:
137[.]184[.]67[.]33
Please follow Microsoft Web Site for official Patch to the two vulnerabilities.
SHMUEL H.