Cybersecurity Threat Advisory: New Microsoft Exchange Zero-Day Vulnerability
Posted on October 3, 2022 by Mike Beagles
A new critical security alert requires the mission-critical community’s immediate attention.Advisory Overview
A new zero-day vulnerability has been discovered that affects Microsoft Exchange servers. The vulnerability was first reported by CTSC.
This method of attack takes advantage of flaws or vulnerabilities in hardware or software that are unknown to the vendor. Such attacks often go undiscovered for weeks or months. The name stems from the fact that once the vendor becomes aware of the attack, it is already too late, i.e., the vendor has “zero days” to apply a patch or warn the public. Given the large amount of personal and sensitive data that public-sector organizations possess, zero-day exploits represent a serious threat.
What Is the Threat?
It is believed that this vulnerability affects all Microsoft Exchange servers. It enables cyberattackers to remotely execute commands on a server, potentially allowing them to create a backdoor to the server.
Reasonable evidence that this zero-day vulnerability previously was exploited. A few weeks ago, suspicious activity was identified and stopped on multiple Microsoft Exchange servers. These suspicious activities emulate the same attack patterns discussed by GTSC. Unfortunately, the forensic images of the compromised servers did not contain sufficient evidence to indicate a new zero-day vulnerability. However, the presence of ProxyShell within the web traffic was verified, which does align with the GTSC reports, leading us to believe that these are the same vulnerability.
What Are the Recommendations?
Currently, no patch is available. Organizations that have Microsoft Exchange servers in their environments should take the following steps:
- Complete the temporary containment measures indicated in the GTSC article.
- Run the recommended YARA rules over the logs and ASPX files in INSTALL_DIRECTORY/Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\.
- Manually inspect odd or suspicious files along with files that seem to be installed by default, as these may be signs of backdoor access.