Attackers are actively exploiting two flaws in fully patched Microsoft Exchange servers to execute code remotely on affected systems, The Hacker News reports.

The warning came from cybersecurity researchers at the Vietnamese security firm GTSC, who first spotted the vulnerabilities in August 2022.

The Zero Day Initiative tracks the two flaws as ZDI-CAN-18333 and ZDI-CAN-18802, which have been assigned Common Vulnerability Scoring System (CVSS) scores of 8.8 and 6.3, respectively.

According to GTSC, exploiting the vulnerabilities could let malicious actors access Microsoft Exchange server systems to drop web shells and carry out lateral movements across the compromised network.

“We detected webshells, mostly obfuscated, being dropped to Exchange servers,” it said.

“Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based open source cross-platform website administration tool that supports web shell management.”

GTSC believes that a Chinese group is likely carrying out attacks as the web shell encoding is in simplified Chinese.

It added that attackers had targeted several organisations by exploiting the two flaws.

The Hacker News provided details on temporary workarounds, including adding a rule to block requests with indicators of compromise through the URL Rewrite Rule Module for IIS servers:

Select the URL Rewrite tab in AutoDiscover at FrontEnd, then select Request Blocking,

Add the string: “.*autodiscover\.json.*\@.*Powershell.*” to the URL path, and

Specify the condition input: Choose {REQUEST_URL}.

Cybersecurity researcher Kevin Beaumont explained that organisations not running Microsoft Exchange on-site, or don’t have the Outlook Web App facing the Internet, are unaffected.

