Exchange Server Zero-Day Being Actively Exploited

Security researchers have warned a zero-day flaw in Microsoft’s Exchange server is being actively exploited.

A Vietnamese infosec company called GTSC appears to have identified the flaw with a post explaining how a pair of flaws allow remote code execution on Exchange installations.

The company reported its findings to the Zero Day Initiative which has assigned the code ZDI-CAN-18333 to one flaw rated 8.8 on the ten-point Common Vulnerability Scoring System (CVSS) scale. A second flaw, ZDI-CAN-18802, is rated 6.3/10.

Details of the flaws are scanty, with GTSC’s post detailing its observations of webshells with Chinese characteristics being dropped onto Exchange servers. Those webshells then “injects malicious DLLs into the memory, drops suspicious files on the attacked servers, and executes these files through the Windows Management Instrumentation Command line (WMIC).

That effort leads to the ability to conduct remote code execution, and that seldom ends well.

At this stage a good ending to this story is hard to envision, because while GTSC has outlined mitigations in its post, Microsoft is yet to issue a fix. History tells me that even once Microsoft publishes a patch, many thousands of Exchange users will not implement it promptly.

To make matters worse, exploits of the flaws are already evident.

GTSC’s post states it’s already seen some of its customers under attack. Infosec analyst Kevin Beaumont tweeted news he’s aware of active attacks, too.

These flaws are just the latest in a long list of problems with Exchange, Microsoft’s flagship messaging product. The most infamous in recent times was the Hafnium flaw thought to have been the work of Chinese actors. Scarcely a month passes without Microsoft finding other Exchange flaws felt worthy of a Patch Tuesday patch, but the software giant has also recently pledged to improve the server’s security by adopting zero-trust principles for connections to the product. ®

READ MORE HERE