Attackers are actively exploiting two flaws in fully patched Microsoft Exchange servers to execute code remotely on affected systems, The Hacker NewsThe warning came from cybersecurity researchers at the Vietnamese security firm GTSC, who first spotted the vulnerabilities in August 2022.the two flaws as ZDI-CAN-18333 and ZDI-CAN-18802, which have been assigned Common Vulnerability Scoring System scores of 8.8 and 6.3, respectively.
According to GTSC, exploiting the vulnerabilities could let malicious actors access Microsoft Exchange server systems to drop web shells and carry out lateral movements across the compromised network.“Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based open source cross-platform website administration tool that supports web shell management.”
GTSC believes that a Chinese group is likely carrying out attacks as the web shell encoding is in simplified Chinese.The Hacker News provided details on temporary workarounds, including adding a rule to block requests with indicators of compromise through the URL Rewrite Rule Module for IIS servers:Add the string: “.*autodiscover\.json.*\@.*Powershell.