Microsoft Exchange Server is a mail and calendaring server widely used by businesses across the globe. In the past 24 hours, two vulnerabilities have been discovered that allow hackers access to attack users’ systems.
What: Click here to view Bleeping Computer’s article regarding the vulnerability.
If exploited, these vulnerabilities could allow a malicious actor to break into a user’s system and compromise sensitive data. Fortunately, this specific type of vulnerability can only be taken advantage of by an internal source, so there is a layer of complexity that prevents these from being widely exploited. Microsoft did acknowledge known attacks, stating “At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.”
Who: Users of Microsoft Exchange operating on a Microsoft Exchange Server
How:
If you are a client of Technology Associates, our team has taken steps to apply a security patch to mitigate risk until Microsoft releases their official patch. We are monitoring the status of these vulnerabilties to protect you in the case of new developments. Our team regularly monitors and updates all security patches for vulnerabilities in the background. You do not need to take any action at this time.
If you are not a client of TA, “The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”
To apply the mitigation to vulnerable servers, you will need to go through the following steps:
Open the IIS Manager.
Expand the Default Web Site.
Select Autodiscover.
In the Feature View, click URL Rewrite.
In the Actions pane on the right-hand side, click Add Rules.
Select Request Blocking and click OK.
Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
Change the condition input from {URL} to {REQUEST_URI}.
Microsoft also suggests you block these remote powershell ports:
HTTP: 5985
HTTPS: 5986