Two nasty exploits discovered in September putting companies in danger

Live support service hacked to spread malware in supply chain attack

Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)

The official installer for the Comm100 Live Chat application, a widely deployed SaaS (software-as-a-service) that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack.

A report from CrowdStrike says that the infected variant was available from the vendor’s website from at least September 26 until as the morning of September 29.

Because the trojanized installer used a valid digital signature, antivirus solutions would not trigger warnings during its launch, allowing for a stealthy supply-chain attack.

New Microsoft Exchange zero-days actively exploited in attacks

New Microsoft Exchange zero-days actively exploited in attacks (bleepingcomputer.com)

“The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,” the researchers said.

GTSC suspects that a Chinese threat group is responsible for the attacks based on the web shells’ code page, a Microsoft character encoding for simplified Chinese.

The user agent used to install the web shells also belongs to Antsword, a Chinese-based open-source website admin tool with web shell management support.

Microsoft hasn’t disclosed any information regarding the two security flaws so far and is yet to assign a CVE ID to track them.

The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.

“GTSC submitted the vulnerability to the Zero Day Initiative (ZDI) right away to work with Microsoft so that a patch could be prepared as soon as possible,” they added. “ZDI verified and acknowledged 2 bugs, whose CVSS scores are 8.8 and 6.3.”

Trend Micro released a security advisory Thursday evening confirming that they submitted the two new Microsoft Exchange zero-day vulnerabilities discovered by GTSC to Microsoft.

The company has already added detections for these zero-days to its IPS N-Platform, NX-Platform, or TPS products.

GTSC has released very few details regarding these zero-day bugs. Still, its researchers did reveal that the requests used in this exploit chain are similar to those used in attacks targeting the ProxyShell vulnerabilities.

The exploit works in two stages:

  1. Requests with a similar format to the ProxyShell vulnerability: autodiscover/[email protected]/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%[email protected].
  2. The use of the link above to access a component in the backend where the RCE could be implemented.

“The version number of these Exchange servers showed that the latest update had already installed, so an exploitation using Proxyshell vulnerability was impossible,” the researchers said.

Temporary mitigation available

Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module:

  1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
  2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
  3. Condition input: Choose {REQUEST_URI}

“We recommend all organizations/enterprises around the world that are using Microsoft Exchange Server to check, review, and apply the above temporary remedy as soon as possible to avoid potential serious damages,” GTSC added.

Admins who want to check if their Exchange servers have already been compromised using this exploit can run the following PowerShell command to scan IIS log files for indicators of compromise:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'

Microsoft and ZDI spokespersons were not immediately available for comment when contacted by BleepingComputer earlier today.

This is a developing story.