Cybersecurity

Cybersecurity Threat Advisory: New Microsoft Exchange Zero-Day Vulnerability

Mike Beagles
Mike Beagles October 3, 2022 1 min read
cyber security alert

A new critical security alert requires the mission-critical community’s immediate attention.

Advisory Overview

A new zero-day vulnerability has been discovered that affects Microsoft Exchange servers. The vulnerability was first reported by CTSC.

This method of attack takes advantage of flaws or vulnerabilities in hardware or software that are unknown to the vendor. Such attacks often go undiscovered for weeks or months. The name stems from the fact that once the vendor becomes aware of the attack, it is already too late, i.e., the vendor has “zero days” to apply a patch or warn the public. Given the large amount of personal and sensitive data that public-sector organizations possess, zero-day exploits represent a serious threat.

What Is the Threat?

It is believed that this vulnerability affects all Microsoft Exchange servers. It enables cyberattackers to remotely execute commands on a server, potentially allowing them to create a backdoor to the server.

Reasonable evidence that this zero-day vulnerability previously was exploited. A few weeks ago, suspicious activity was identified and stopped on multiple Microsoft Exchange servers. These suspicious activities emulate the same attack patterns discussed by GTSC. Unfortunately, the forensic images of the compromised servers did not contain sufficient evidence to indicate a new zero-day vulnerability. However, the presence of ProxyShell within the web traffic was verified, which does align with the GTSC reports, leading us to believe that these are the same vulnerability.

What Are the Recommendations?

Currently, no patch is available. Organizations that have Microsoft Exchange servers in their environments should take the following steps:

  • Complete the temporary containment measures indicated in the GTSC article.
  • Run the recommended YARA rules over the logs and ASPX[1] files in INSTALL_DIRECTORY/Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\.
  • Manually inspect odd or suspicious files along with files that seem to be installed by default, as these may be signs of backdoor access.
If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite for critical infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.

 

Don't forget to share this post!

Mike Beagles
Mike Beagles
Mike has specialized experience with supporting public safety agencies by providing technical expertise, strategic planning and general consulting for new and innovative mission critical technologies as well as legacy solutions. Throughout his long-standing career, he has worked as a technical service manager and network engineer for several public safety software companies, as well as an IT manager with a mid-tier public safety 911/ CAD/RMS/Mobile software provider. His expertise runs deep in team and project management for large and small projects, which he has done for more than 12 years.

Related posts

Cybersecurity Network Management IT and Network Support

Cybersecurity Threat Advisory: Disguised Windows Files and Documentation

September 20, 2021
Mike Beagles
Next Generation 911 Networks Public Safety Technology Continuity of Operations and Disaster Recovery

Build a Smart PSAP Cyber Security Strategy: 8 Critical "Must-Haves"

September 5, 2017
Mike Beagles
Cybersecurity Network Management IT and Network Support

Cybersecurity Threat Advisory: ‘Dirty Pipe’ Linux Vulnerability Provides Easy Privilege Escalation

March 16, 2022
Mike Beagles