These are ProxyShell vulnerabilities that Microsoft didn’t acknowledge yet, so a tracking CVE ID isn’t set. Meanwhile, the researchers who spotted them shared with Microsoft for an official patch and also gave a temporary workaround for the system admins until then.
RCE Bug in Exchange Servers
Since earlier this year, Microsoft Exchange Servers have been some of the frequently targeted systems due to them having a number of zero-day vulnerabilities. Lately, we have seen two zero-day bugs reported by GTSC – a Vietnamese security company that shared its findings with Microsoft through its Zero Day Initiative.
I can confirm significant numbers of Exchange servers have been backdoored – including a honeypot. Thread to track issue follows: — Kevin Beaumont (@GossiTheDog) September 29, 2022 As per it, the Exchange Servers are infested with two zero-day bugs – concerning the ProxyShell – and leading to a remote code execution attack. Researchers noted active exploitations against these and linked them to a Chinese group citing the web shells and user agents they’re using in the process. They further detailed that the hackers are chaining the pair of zero-days to deploy their Chopper web shells on compromised servers – to gain persistence and data theft and even move laterally to other systems in the victims’ networks. Though they shared these findings with Microsoft three weeks ago, the company is yet to acknowledge and come up with a patch. Until then, GTSC has assigned a tracking ID as ZDI-CAN-18333 and ZDI-CAN-18802 to the two vulnerabilities, with severity scores of 8.8 and 6.3, respectively. Soon after their disclosure, TrendMicro confirmed the submission through a security advisory and added detections for these zero-days to its IPS N-Platform, NX-Platform, or TPS products. Until Microsoft come up with a suitable patch update, GTSC shared temporary mitigation for the Exchange Servers admins, as follows; If you’re a system admin and want to check if your server was compromised by these bugs, try the following PowerShell command to scan the IIS log files;