Due to attacks and the lack of patches so far, admins should secure Exchange Server with a workaround.
Security researchers warn that attackers are currently exploiting two zero-day vulnerabilities in Microsoft Exchange Server. Security updates are not yet available. But there is a workaround.
malicious code attacks
Security researchers from GTSC came across the attacks. They summarized their findings in a report. According to them, attackers from the Chinese environment should successfully attack Exchange Server and nest in systems via back doors. After successful attacks, the execution of malicious code is possible. In addition, the developed position serves as a starting point for spreading to other systems.
In the meantime, other security researchers, including Trend Micro’s Zero Day Initiative (ZDI), have confirmed the gaps and attacks. Microsoft has not yet taken a position.
Details on the security gaps are hardly available so far. CVE numbers are not assigned at this time. The ZDI classifies the vulnerabilities with a CVSS score of 8.8 (ZDI-CAN-18333 and 6.3 (ZDI-CAN-18802). Attacks are expected to take place in summer 2021, similar to those with ProxyShell.
secure servers
It is still unclear when security patches will appear. However, in order to protect systems now, the security researchers at GTSC have developed a temporary workaround to block requests to initiate the attack. To do this, admins must create a request blocking rule with the content under Autodiscover in the URL Rewrite tab
.*autodiscover\.json.*\@.*Powershell.*
create in the URL Path. As a condition input, you must {REQUEST_URI} Select.
Admins can use the following PowerShell command to check whether servers are already compromised.
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
