Security
researchers
are
warning
of
previously
undisclosed
flaws
in
fully
patched
Microsoft
Exchange
servers
being
exploited
by
malicious
actors
in
real-world
attacks
to
achieve
remote
code
execution
on
affected
systems.

That’s
according
to
Vietnamese
cybersecurity
company
GTSC,
which
discovered
the
shortcomings
as
part
of
its
security
monitoring
and
incident
response
efforts
in
August
2022.

The
two
vulnerabilities,
which
are
formally
yet
to
be
assigned
CVE
identifiers,
are
being

tracked
by
the
Zero
Day
Initiative
as

ZDI-CAN-18333
(CVSS
score:
8.8)
and

ZDI-CAN-18802
(CVSS
score:
6.3).

GTSC
said
that
successful
exploitation
of
the
flaws
could
be
abused
to
gain
a
foothold
in
the
victim’s
systems,
enabling
adversaries
to
drop
web
shells
and
carry
out
lateral
movements
across
the
compromised
network.

“We
detected
webshells,
mostly
obfuscated,
being
dropped
to
Exchange
servers,”
the
company

noted. “Using
the
user-agent,
we
detected
that
the
attacker
uses
Antsword,
an
active
Chinese-based
open
source
cross-platform
website
administration
tool
that
supports
web
shell
management.”

Exploitation
requests
in
IIS
logs
are
said
to
appear
in
the
same
format
as
the

ProxyShell
Exchange
Server
vulnerabilities,
with
GTSC
noting
that
the
targeted
servers
had
already
been
patched
against
the
flaws
that
came
to
light
in
March
2021.

The
cybersecurity
company
theorized
that
the
attacks
are
likely
originating
from
a
Chinese
hacking
group
owing
to
the
web
shell’s
encoding
in
simplified
Chinese
(Windows
Code
page
936).

Also
deployed
in
the
attacks
is
the
China
Chopper
web
shell,
a
lightweight
backdoor
that
can
grant
persistent
remote
access
and
allow
attackers
to
reconnect
at
any
time
for
further
exploitation.

It’s
worth
noting
that
the

China
Chopper
web
shell
was
also
deployed
by
Hafnium,
a
suspected
state-sponsored
group
operating
out
of
China,
when
the
ProxyShell
vulnerabilities
were
subjected
to

widespread
exploitation
last
year.

Further
post-exploitation
activities
observed
by
GTSC
involve
the
injection
of
malicious
DLLs
into
memory,
drop
and
execute
additional
payloads
on
the
infected
servers
using
the
WMI
command-line
(WMIC)
utility.

The
company
said
at
least
more
than
one
organization
has
been
the
victim
of
an
attack
campaign
leveraging
the
zero-day
flaws.
Additional
details
about
the
bugs
have
been
withheld
in
light
of
active
exploitation.

We
have
reached
out
to
Microsoft
for
further
comment,
and
we
will
update
the
story
if
we
hear
back.

In
the
interim,
as
temporary
workarounds,
it’s
recommended
to
add
a
rule
to
block
requests
with
indicators
of
compromise
using
the

URL
Rewrite
Rule
module
for
IIS
servers
–

• In
  Autodiscover
  at
  FrontEnd,
  select
  tab
  URL
  Rewrite,
  and
  then
  select
  Request
  Blocking
• Add
  string “.*autodiscover\.json.*\@.*Powershell.*”
  to
  the
  URL
  Path,
  and
• Condition
  input:
  Choose
  {REQUEST_URI}

“I
can
confirm
significant
numbers
of
Exchange
servers
have
been
backdoored
–
including
a
honeypot,”
Security
researcher
Kevin
Beaumont
said
in
a
series
of
tweets,
adding, “it
looks
like
a
variant
of
proxying
to
the
admin
interface
again.”

“If
you
don’t
run
Microsoft
Exchange
on
premise,
and
don’t
have
Outlook
Web
App
facing
the
internet,
you
are
not
impacted,”
Beaumont

said.