New zero-day bugs existing in Microsoft Exchange that are not disclosed yet publicly are being exploited by the threat actors in order to perform remote code execution on affected systems.
These attacks are first spotted by security experts at Vietnamese cybersecurity outfit GTSC during a routine security checkup. Microsoft was notified privately three weeks ago of the security vulnerabilities by the researchers through their Zero Day Initiative program.
On compromised servers, the hackers deployed Chinese Chopper web shells by combining two zero-day vulnerabilities. While they deploy the malicious Chinese Chopper web shells for three primary illicit goals:-
Apart from this, it has been presumed based on the code page of the web shells, the attack is being carried out by a Chinese threat group.
In this case, the web shells are installed by Antsword’s user agent. With Web Shell management support, Antsword is an open-source website admin tool that is developed in Chinese.
It is still unclear what Microsoft has done about the two security flaws so far since the company has not yet assigned a CVE ID to any of them to ensure their tracking.
The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative.
A very limited amount of information has been released about these zero-day flaws by GTSC. However, they did reveal that the attacks that targeted the ProxyShell flaws and the requests used in this exploit chain are completely identical.
Two stages are involved in the exploit in order to work:-
autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com.
Consequently, GTSC has released guidelines and a tool that can be used to look up IIS log files. This tool can be used to determine if this bug has exploited any Exchange servers or not.
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200
Cyber Attack with Zero Trust Networking – Download Free E-Book
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…