A new critical security alert requires the mission-critical community’s immediate attention.
Advisory OverviewA new zero-day vulnerability has been discovered that affects Microsoft Exchange servers. The vulnerability was first reported by CTSC.
This method of attack takes advantage of flaws or vulnerabilities in hardware or software that are unknown to the vendor. Such attacks often go undiscovered for weeks or months. The name stems from the fact that once the vendor becomes aware of the attack, it is already too late, i.e., the vendor has “zero days” to apply a patch or warn the public. Given the large amount of personal and sensitive data that public-sector organizations possess, zero-day exploits represent a serious threat.
What Is the Threat?
It is believed that this vulnerability affects all Microsoft Exchange servers. It enables cyberattackers to remotely execute commands on a server, potentially allowing them to create a backdoor to the server.
Reasonable evidence that this zero-day vulnerability previously was exploited. A few weeks ago, suspicious activity was identified and stopped on multiple Microsoft Exchange servers. These suspicious activities emulate the same attack patterns discussed by GTSC. Unfortunately, the forensic images of the compromised servers did not contain sufficient evidence to indicate a new zero-day vulnerability. However, the presence of ProxyShell within the web traffic was verified, which does align with the GTSC reports, leading us to believe that these are the same vulnerability.
What Are the Recommendations?
Currently, no patch is available. Organizations that have Microsoft Exchange servers in their environments should take the following steps: