Important Update: Microsoft Exchange Zero-Day Actively Exploited

UPDATE 10/13/22: The two Microsoft Exchange vulnerabilities now have CVEs assigned:

• CVE-2022-4104: 8.8/10 elevation of privilege vulnerability

• CVE-2022-41082 : 8.8/10 RCE

A pair of CVSS 8.8 and 6.3 vulnerabilities in Microsoft Exchange servers worldwide are currently being targeted by suspected Chinese-based adversaries. The vulnerabilities allow remote code execution and are being leveraged to install web shells nefariously on the target machines. 

Microsoft has not yet disclosed any information regarding the vulnerabilities and there are no CVE IDs associated to track them via the National Vulnerability Database. The vulnerabilities have been submitted to the Zero Day Initiative (ZDI) and verified. ZDI quickly confirmed the vulnerabilities and scored them.

Researchers suspect that a Chinese adversary group is behind the malicious attack due to the webshell codepage being 936, which is a character code for simplified Chinese. Researchers are also confirming that a significant amount of Exchange servers have already been backdoored through the vulnerability, including at least one honeypot. 

Exploitation of this remote code execution vulnerability is allowing the attacker to deploy the webshell code on the targeted exchange servers. Remote Code Execution, or RCE, is a type of vulnerability that allows attackers to run any command or code on the target system within the exploited process. RCEs are a top exploitation technique for adversaries and are highly desirable, especially on a critical system like a Microsoft Exchange server.

How to fix it

As of Thursday, September 29 there is no patch available. GTSC, the Vietnamese cybersecurity team that discovered the vulnerabilities, provided guidance on a temporary fix until patches are released. Organizations can add a Internet Information Services (IIS) server rule to temporarily block exploitation attempts via the URL Rewrite Rule module:

1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.

2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.

3. Condition input: Choose {REQUEST_URI}

Once patches are released from Microsoft, we recommend patching within 24 hours as these vulnerabilities are being actively exploited, likely by advanced persistent threat (APT) actors.