Security experts are warning about previously unknown holes in fully patched Microsoft Exchange servers that are being exploited in real-world attacks by malicious actors to accomplish remote code execution on afflicted computers. | Unpatched Microsoft Exchange Zero-Day

Unpatched Microsoft Exchange Zero-Day | The warning comes from GTSC, a Vietnamese cybersecurity firm that found the flaws as part of its security monitoring and incident response activities in August 2022.

The Zero Day Initiative is tracking two vulnerabilities that have yet to be awarded CVE identifiers: ZDI-CAN-18333 (CVSS score: 8.8) and ZDI-CAN-18802 (CVSS score: 6.3).

According to GTSC, effective exploitation of the defects might be leveraged to obtain a foothold in the victim’s systems, allowing attackers to drop web shells and perform lateral network moves.

“We discovered web shells, most of which were obfuscated, being dumped to Exchange servers,” the business said. “We discovered that the attacker is using Antsword, an active Chinese-based open source cross-platform website administration application that provides web shell management, depending on the user-agent.”

NEXT MASTERCLASS Targeted ICS Ransomware In Manufacturing: How To Be Prepared

Unpatched Microsoft Exchange Zero-Day
Unpatched Microsoft Exchange Zero-Day

Unpatched Microsoft Exchange Zero-Day

Exploitation requests in IIS logs are believed to look the same as the ProxyShell Exchange Server weaknesses, with GTSC stating that the targeted servers had previously been fixed against the holes discovered in April 2021.

Because the web shell is encoded in simplified Chinese, the cybersecurity firm believes the attacks are likely the work of a Chinese hacker gang (Windows Code page 936).

The China Chopper web shell, a lightweight backdoor that may enable continued remote access and allow attackers to reconnect at any moment for additional exploitation, was also used in the attacks.

When the ProxyLogon vulnerabilities were widely exploited last year, the China Chopper web shell was also launched by Hafnium, a suspected state-sponsored outfit operating out of China.

GTSC noticed other post-exploitation operations, such as the injection of malicious DLLs into memory, as well as the drop and execution of additional payloads on affected servers using the WMI command-line (WMIC) application.

According to the business, at least one organization has been the target of an attack campaign utilizing zero-day weaknesses. Additional information regarding the flaws has been suppressed due to ongoing exploitation.

We have reached out to Microsoft for more information and will update the article if we receive a response.

Meanwhile, adding a rule to deny requests with signs of compromise using the URL Rewrite Rule module for IIS servers is advised as a temporary fix.

  • Select the tab URL Rewrite and then Request Blocking in Autodiscover at FrontEnd.
  • Add the string “.*autodiscover.json.*@.*Powershell.*” to the URL Path and press Enter.
  • Select REQUEST URI as the condition input.

“I can confirm huge numbers of Exchange servers have been backdoored – including a honeypot,” security researcher Kevin Beaumont tweeted, adding, “it appears to be a form of proxying to the admin interface again.”

“You are not harmed if you do not operate Microsoft Exchange on-premise and do not have Outlook Web App facing the internet,” Beaumont explained.

Sharing is Caring!

You are welcome to put this blog article on your website, provided you also append an active link to our website “Source: https://resources.rhyno.io”

For media enquiries, contact us at [email protected].


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center