Saturday, December 2, 2023

New Microsoft Exchange Zero-Day RCE Bug Actively Exploited by Hackers

New zero-day bugs existing in Microsoft Exchange that are not disclosed yet publicly are being exploited by the threat actors in order to perform remote code execution on affected systems.

These attacks are first spotted by security experts at Vietnamese cybersecurity outfit GTSC during a routine security checkup. Microsoft was notified privately three weeks ago of the security vulnerabilities by the researchers through their Zero Day Initiative program.

On compromised servers, the hackers deployed Chinese Chopper web shells by combining two zero-day vulnerabilities. While they deploy the malicious Chinese Chopper web shells for three primary illicit goals:-

  • To gain persistence 
  • Data theft
  • Move laterally to other systems

Apart from this, it has been presumed based on the code page of the web shells, the attack is being carried out by a Chinese threat group.


In this case, the web shells are installed by Antsword’s user agent. With Web Shell management support, Antsword is an open-source website admin tool that is developed in Chinese.

It is still unclear what Microsoft has done about the two security flaws so far since the company has not yet assigned a CVE ID to any of them to ensure their tracking.

The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative.

A very limited amount of information has been released about these zero-day flaws by GTSC. However, they did reveal that the attacks that targeted the ProxyShell flaws and the requests used in this exploit chain are completely identical.

Exploit stages

Two stages are involved in the exploit in order to work:-

  • In IIS logs, exploit requests with the same format as the ProxyShell vulnerability have been detected:

autodiscover/[email protected]/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%[email protected].

  • It is possible to implement RCE in the backend with the help of the link above which can be operated to access an element in the backend.


Consequently, GTSC has released guidelines and a tool that can be used to look up IIS log files. This tool can be used to determine if this bug has exploited any Exchange servers or not.

  • First of all, you have to use the Powershell command:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200 

  • Secondly use the tool developed by GTSC that can be downloaded from here.

Cyber Attack with Zero Trust Networking – Download Free E-Book


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles