Vietnamese security firm GTSC published a blog post this week warning of a new zero-day remote code execution (RCE) flaw in Microsoft Exchange Server, which it said has been actively exploited at least since early August.
GTSC submitted the vulnerability to the Zero Day Initiative, which verified two flaws on September 8 and 9: ZDI-CAN-18333 and ZDI-CAN-18802, with CVSS scores of 8.8 and 6.3, respectively.
Because GTSC continues to see customers being targeted by attacks exploiting those flaws, the firm said, it published a blog post offering additional information on the vulnerabilities.
“We detected webshells, mostly obfuscated, being dropped to Exchange servers,” GTSC wrote. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based open source cross-platform website administration tool that supports webshell management.”
Due to the use of a webshell codepage for simplified Chinese, GTSC attributed the attacks to a Chinese attack group.
“It should be noted that every command ends with the string echo [S]&cd&echo [E], which is one of the signatures of the Chinese Chopper,” they wrote. “In addition, the hacker also injects malicious DLLs into the memory, drops suspicious files on the attacked servers, and executes these files through WMIC.”
Also read: Microsoft Makes Exchange Server Patches Less Optional
Microsoft Offers Guidance on Vulnerabilities
A day after GTSC published its blog post, Microsoft released customer guidance on how to mitigate the vulnerabilities, which affect Microsoft Exchange Server 2013, 2016 and 2019, and are identified as the Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and the RCE flaw CVE-2022-41082.
While Microsoft Exchange Online customers don’t need to take any action, on-premises Microsoft Exchange customers are advised to take the following steps:
- Open the IIS Manager
- Expand the Default Web Site
- In the Feature View, click URL Rewrite
- In the Actions pane on the right-hand side, click Add Rules
- Select Request Blocking and click OK
- Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK
- Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions
- Change the condition input from {URL} to {REQUEST_URI}
“There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended,” the company wrote.
Also read: Cybersecurity Agencies Release Guidance for PowerShell Security
Steganography Hides Malware in Microsoft Logo
Separately, Symantec announced that the Witchetty attack group, also known as LookingFrog, has been leveraging a new backdoor Trojan, Backdoor.Stegmap, which uses steganography to hide malware in an image – in this case, a bitmap of an old Microsoft logo. “Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service,” Symantec noted.
Backdoor.Stegmap is capable of creating and removing directories; copying, moving, and deleting files; downloading and running executables; and reading, creating, and deleting registry keys, among other actions.
“In attacks between February and September 2022, Witchetty targeted the governments of two Middle Eastern countries and the stock exchange of an African nation,” Symantec wrote. “The attackers exploited the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers.”
The Symantec report details a February attack on a government agency in the Middle East that continued over the course of several months.
ESET first reported on Witchetty/LookingFrog in April 2022, identifying it as one of three subgroups of the cyberespionage umbrella group TA410, which itself is loosely linked to APT10/Cicada.
Read next: Top Secure Email Gateway Solutions
