Microsoft Exchange zero-day actively exploited Summary ‘© Anew zero-day vulnerability impacting the Microsoft Exchange server has been found in the wild under active exploitation. ‘+ The vulnerability isa remote code execution (RCE). Based on the available information authentication is required in order to execute the exploit. ‘+ Its theorized that the vulnerabilities are being exploited to drop webshells on victim systems and establish footholds for post-exploitation behavior. Overview ‘The vulnerability consists of two parts: 1. Requests with a similar format to the ProxyShell vulnerability: autodi scover/autodi scover. json?@evil .com/éEmail=autodi scover/autodiscover. json¢3£@evil.com. 2. The use of the link above to access a component in the backend where the RCE could be implemented. However, technical details of the RCE have not been released, Indicators of compromise SHA-256 76a2£2644cb3721540e179ca2baall0b71de3370bb560acaéSdcddbd7da3701e 074eb0e7Sbb2d8£59f1£4571a8cSb7 6f9¢899834898da6£7591b68531 £25482 ©838e77afe750d713e67ffebseclb82ee9066cbe21f11181£d34429f70831ec] Sceca9se2b24e030d64 1 84d9d247026£2509ed91 4dafbs7604123057a14c57c0 45c8233236a69a08160390d4faa253177180b2bd45dsed08369607429ffbe0a9 be07bd9310d7a487ca2#49bcdaafb9513c0c8 99921 fdr 79a0Seaba25p524257 29_75£0db3006440651c6342de3c0672210cfb339141c75e12£6c844990931c3 65a002fe65$dcl 751add167cf00adf284c080ab2e97cd386881518d3a31d27£5 5038£191267253c7747d2£0£a5310ee8319288£818392298£d92009926268ca 08¢907a6795Sbedf0 Tddl 1d35f2a23498fb5fteScebSa7£36970cEOTdad Mbt t2 URL http{+]//206.188.196.77:8080/thenes[. laspx c2IP. 137.184.67[.133 Mitigation Microsoft has not released security updates to address the two zero-days, GTSC (initial writing) shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module:In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking. Add string “.*autodiscover\,json.*\@.*Powershell.** to the URL Path. Condition input: Choose {REQUEST_URI} Recommendations ‘+ Until an official patch is released by Microsoft, look for signs of compromise by running the following command: Get-Childiten -Recurse Path - Filter "log" | Select-string ~Pattern ‘powershell. *autodiscover\.json.*\@.*200 ‘© Block the identified hash values ‘© Block the IP used a C2 server ‘© Block the URL used as C2 address