If you are running Exchange-servers locally, I would recommend you read this. According to several posts since yesterday, there is a new 0-day exploit going on; https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html#:~:text=Temporary%20containment%20measures
Based on several blogposts, I recommend you to do the following actions;
- Adding a new IIS server rule using the URL Rewrite Rule module;
- In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
- Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
- Condition input: Choose {REQUEST_URI
- Check for detections of compromise and scan IIS Logs with this Powershell code on your server;
- Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’
- Check for indicators that you have already been comprimized;
- You can find IOCs at the end og GTSC’s post.
- Make sure your Exchange servers and Exchange setup is patched and on the latest CU!
Big thanks to GTSC for a thorough walkthrough so far!
If you have any questions or need help to navigate and look for something, don’t be shy*! Leave a comment and I will try to help you along the way! 😊