Symantec and GTSC warn of active Microsoft exploits

Vietnamese security company GTSC released a blog post this week, a warning of a new zero-day remote code execution (RCE) flaw in Microsoft Exchange Server, which it claims has been actively exploited at least since early August.

GTSC submitted the vulnerability to Zero Day Initiativewhich verified two flaws on September 8 and 9: ZDI-CAN-18333 and ZDI-CAN-18802, with CVSS scores of 8.8 and 6.3, respectively.

As GTSC continues to see customers targeted by attacks exploiting these flaws, the company said it has published a blog post offering additional insight into the vulnerabilities.

“We detected abandoned, mostly obfuscated webshells on Exchange servers,” GTSC wrote. “Using the user agent, we detected that the attacker is using Antsword, an active China-based open-source cross-platform website administration tool that supports webshell management.”

Due to the use of a Webshell code page for simplified Chinese, GTSC attributed the attacks to a Chinese attack group.

“It should be noted that each command ends with the string echo [S]&cd&echo [E], which is one of the signatures of the Chinese Chopper,” they wrote. “Additionally, the hacker also injects malicious DLLs into memory, drops suspicious files on the attacked servers, and executes these files via WMIC.”

Also Read: Microsoft Makes Exchange Server Patches Less Optional

Microsoft offers guidance on vulnerabilities

A day after GTSC published their blog post, Microsoft has released advice to customers on how to mitigate the vulnerabilities, which affect Microsoft Exchange Server 2013, 2016 and 2019, and are identified as the Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and the RCE flaw CVE-2022-41082.

Although Microsoft Exchange Online customers do not need to take any action, Microsoft Exchange on-premises customers are advised to take the following steps:

  • Open the IIS manager
  • Expand Default Website
  • In the features view, click URL Rewrite
  • In the Actions pane on the right side, click Add Rules
  • Select Request blocking and click OK
  • Add string “.*autodiscover.json.*@.*Powershell.*” (excluding quotes) and click OK
  • Expand the ruler and select the ruler with the pattern “.*autodiscover.json.*@.*Powershell.*and click Edit under Terms
  • Change the condition entry from {URL} to {REQUEST_URI}

“There is no known impact on Exchange functionality if the URL Rewrite Module is installed as recommended,” the company wrote.

Also Read: Cybersecurity Agencies Publishing Guide to PowerShell Security

Steganography hides malware in the Microsoft logo

Separately, Symantec announced that the Witchetty attack group, also known as LookingFrog, is exploiting a new backdoor Trojan, Backdoor.Stegmap, which uses steganography to hide malware in an image – in this case, a bitmap of an old Microsoft logo. “Disguising the payload in this way allowed attackers to host it on a free and trusted service,” Symantec noted.

Backdoor.Stegmap is able to create and delete directories; copy, move and delete files; download and run executables; and read, create, and delete registry keys, among other actions.

“In attacks between February and September 2022, Witchetty targeted the governments of two Middle Eastern countries and the stock exchange of an African country,” Symantec wrote. “The attackers exploited the ProxyShell (CVE-2021-34473, CVE-2021-34523and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to install web shells on public servers before stealing credentials, moving laterally across networks, and installing malware on other computers.

Symantec’s report details a February attack on a government agency in the Middle East that continued for several months.

ESET first reported on Witchetty/LookingFrog in April 2022, identifying it as one of three subgroups of the cyber espionage umbrella group TA410, itself loosely related to APT10/Cicada.

Read next: Best secure email gateway solutions

Comments are closed.