WARNING: New 0-day exploit on Exchange!

If you are running Exchange-servers locally, I would recommend you read this. According to several posts since yesterday, there is a new 0-day exploit going on; https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html#:~:text=Temporary%20containment%20measures

Based on several blogposts, I recommend you to do the following actions;

  1. Adding a new IIS server rule using the URL Rewrite Rule module;
    1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
    1. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
    1. Condition input: Choose {REQUEST_URI
  2. Check for detections of compromise and scan IIS Logs with this Powershell code on your server;
    1. Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’
  3. Check for indicators that you have already been comprimized;
    1. You can find IOCs at the end og GTSC’s post.
  4. Make sure your Exchange servers and Exchange setup is patched and on the latest CU!
    1. https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

Big thanks to GTSC for a thorough walkthrough so far!

If you have any questions or need help to navigate and look for something, don’t be shy*! Leave a comment and I will try to help you along the way! 😊

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.