MA-939.052023: MyCERT Alert - Microsoft Azure VMs Hijacked in Cloud Cyberattack

  • 25 May 2023
  • Alert
  • microsoft, azure, vm, cloud, security

1.0 Introduction

Recently, a threat actor group tagged as “UNC3944” by cybersecurity firm Mandiant, which also known as Roasted 0ktapus and Scattered Spider has been reported to hijack by installing third-party remote management software in Microsoft Azure Virtual Machines (VMs) Serial Console targeting customer environments. In addition to avoiding all of the standard detection techniques used by Azure, this attack method also gave the attacker full administrative access to the VM. Unfortunately, cloud resources are frequently misunderstood, resulting in configuration errors that might expose these assets to attack. 

UNC3944 which also known as Roasted 0ktapus and Scattered Spider is a financially motivated threat actor which has been active since at least May 2022. Their tactics often include SIM swapping attacks followed by the establishment of persistence using compromised accounts. Using Microsoft’s cloud computing infrastructure, their campaign aims to steal data from victimized organizations. The STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit for terminating security applications were formerly credited to UNC3944. The threat actors utilized stolen Microsoft hardware developer accounts to sign their kernel drivers.

 

2.0 Impact

  • Attacker gain full access to the Azure VM.
  • Export information about the users in the tenant.
  • Gather information about the Azure environment configuration and the various VMs.
  • Creating or modifying accounts.

 

3.0 Affected System and Devices

  • Microsoft Azure Cloud VM environments

 

4.0 Technical Details

4.1 SIM Swapping Azure Admins

Initial access to the Azure administrator’s account is made possible by leveraging stolen credentials obtained through SMS phishing, a strategy used frequently by UNC3944. In order to induce help desk representatives to send a multi-factor reset code by SMS to the target’s phone number, the attackers next pretend to be the administrator when speaking with them.

However, the attacker had previously SIM-swapped the administrator’s number and ported it to their device, so they obtained the 2FA token without the victim being aware of the compromised. Mandiant has not yet discovered how the hackers carry out the SIM-swapping portion of their operation. However, prior instances have demonstrated that facilitating illegitimate number ports only requires knowing the target’s phone number and collaborating with dishonest telecom staff.

As soon as the attackers get access to the Azure environment of the targeted company, they use their administrator rights to gather data, make necessary changes to already-existing Azure accounts, or even create new ones.

Initial access diagram

Initial access diagram (Mandiant)
 

4.2 Living-off-the-Land (LotL) Tactic

In the subsequent phase of the attack, UNC3944 employs Azure Extensions to perform surveillance, collect data, disguise their malicious activities apparently innocent everyday task, and blend in with regular activity.

Azure Extensions are “add-on” features and services that may be included into an Azure Virtual Machine (VM) to enhance functionality, automate processes, etc. These extensions are stealthy and less suspicious because they are executed inside the VM and are frequently utilized for legal purpose.

The threat actor utilized “CollectGuestLogs”, one of the built-in Azure diagnostic extensions, to acquire log files from the compromised endpoint in this instance. Moreover, Mandiant has discovered evidence of the threat actor trying to misuse the following extra extensions:

Extensions the threat actor attempted to abuse (Mandiant)

 

4.3 Breaching VMs to Steal Data

After that, UNC3944 accesses the administrative console of VMs using Azure Serial Console and issues commands via a command prompt over the serial port. According to Mandiant’s assessment, the method of attack was unique in that it avoided many of the traditional detection methods employed with Azure and gave the attacker full administrative access to the VM.

Mandiant found that the first command the intruders run is “whoami” in order to identify the user who is presently signed in and obtain information necessary for more advanced exploitation. 

Using Azure Serial Console to gain access to a virtual machine (Mandiant)

The threat actors then install many commercially accessible remote administrator tools not mentioned in the study while enhancing their persistence on the VM via PowerShell.

Several commercially available remote administration tools are frequently deployed by the attacker using PowerShell in order to maintain presence on the VM, according to a Mandiant analysis.

UNC3944’s next move is to build a reverse SSH tunnel to their C2 server in order to maintain covert and ongoing access via a secure channel and get beyond network limitations and security measures.

To enable a direct access to an Azure VM using Remote Desktop, the attacker configures the reverse tunnel with port forwarding. For instance, any incoming connection to the distant machine’s port 12345 would be routed to the local host’s distant Desktop Protocol Service Port or port 3389.

After gaining access to the affected Azure VM via the reverse shell with the help of a compromised user account, the attackers only then move to take over more of the compromised environment while stealing data.

 

5.0 Recommendations
MyCERT recommends users and administrators to follow the security best practices as recommended by Microsoft for Azure Virtual Environments as follows:

  • Enable Microsoft Defender for Cloud.
  • Improve your Secure Score.
  • Require multi-factor authentication.
  • Enable Conditional Access.
  • Collect audit logs.
  • Use RemoteApps.
  • Monitor usage with Azure Monitor.
  • Encrypt your VM.

You may refer to the full guide here; https://learn.microsoft.com/en-us/azure/virtual-machines/security-recommendations

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

 

6.0    References

MA-937.052023: MyCERT Advisory - Microsoft Releases May 2023 Security Updates

  • 16 May 2023
  • Advisory
  • microsoft, security, update, may

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software. 

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Windows, 10, 11 and Windows Server Operating systems. Users of Windows 7, Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates.

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s May 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the URLs below:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-926.042023: MyCERT Advisory - Microsoft Releases April 2023 Security Updates

  • 14 Apr 2023
  • Advisory
  • microsoft, update, april,

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
This release consists of security updates for the following products, features and roles.

  • .NET Core
  • Azure Machine Learning
  • Azure Service Connector
  • Microsoft Bluetooth Driver
  • Microsoft Defender for Endpoint
  • Microsoft Dynamics
  • Microsoft Dynamics 365 Customer Voice
  • Microsoft Edge (Chromium-based)
  • Microsoft Graphics Component
  • Microsoft Message Queuing
  • Microsoft Office
  • Microsoft Office Publisher
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft PostScript Printer Driver
  • Microsoft Printer Drivers
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows DNS
  • Visual Studio
  • Visual Studio Code
  • Windows Active Directory
  • Windows ALPC
  • Windows Ancillary Function Driver for WinSock
  • Windows Boot Manager
  • Windows Clip Service
  • Windows CNG Key Isolation Service
  • Windows Common Log File System Driver
  • Windows DHCP Server
  • Windows Enroll Engine
  • Windows Error Reporting
  • Windows Group Policy
  • Windows Internet Key Exchange (IKE) Protocol
  • Windows Kerberos
  • Windows Kernel
  • Windows Layer 2 Tunneling Protocol
  • Windows Lock Screen
  • Windows Netlogon
  • Windows Network Address Translation (NAT)
  • Windows Network File System
  • Windows Network Load Balancing
  • Windows NTLM
  • Windows PGM
  • Windows Point-to-Point Protocol over Ethernet (PPPoE)
  • Windows Point-to-Point Tunneling Protocol
  • Windows Raw Image Extension
  • Windows RDP Client
  • Windows Registry
  • Windows RPC API
  • Windows Secure Boot
  • Windows Secure Channel
  • Windows Secure Socket Tunneling Protocol (SSTP)
  • Windows Transport Security Layer (TLS)
  • Windows Win32K

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s April 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the following URL: https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/news-events/alerts/2023/04/11/microsoft-releases-april-2023-security-updates

MA-925.042023: MyCERT Advisory - CISA Adds 1 Known Exploited Vulnerability to Catalog

  • 14 Apr 2023
  • Advisory
  • clfs, microsoft, privilege escalation, vulnerability

1.0 Introduction

Recently, CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2023-28252 Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability

2.0 Impact
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise

3.0 Affected Products
Microsoft Windows OS

4.0 Recommendations
MyCERT strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.

Kindly refer to the following URL : https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/news-events/alerts/2023/04/11/cisa-adds-one-known-exploited-vulnerability-catalog

MA-922.042023: MyCERT Advisory - Microsoft Releases Guidance for the BlackLotus Campaign

  • 14 Apr 2023
  • Advisory
  • blacklotus, microsoft, uefi

1.0 Introduction

Recently, Microsoft has released Guidance for investigating attacks using CVE-2022-21894: The BlackLotus Campaign. According to Microsoft, “[t]his guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.”

2.0 Impact
An attacker could exploit this vulnerability to take control of an affected system.

3.0 Affected Products
PCs with Microsoft Windows OS installed

4.0 Recommendations
MyCERT urges users and organizations to review the Microsoft Blog Post for more information, and apply necessary detection, recovery, and prevention strategies. 

Kindly refer to : https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-914.032023: MyCERT Advisory - Microsoft's Monthly (March 2023) consolidated tech and security patches update

  • 17 Mar 2023
  • Advisory
  • microsoft, security, update

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
This release consists of security updates for the following products, features and roles.

  • Azure
  • Client Server Run-time Subsystem (CSRSS)
  • Internet Control Message Protocol (ICMP)
  • Microsoft Bluetooth Driver
  • Microsoft Dynamics
  • Microsoft Edge (Chromium-based)
  • Microsoft Graphics Component
  • Microsoft Office Excel
  • Microsoft Office Outlook
  • Microsoft Office SharePoint
  • Microsoft OneDrive
  • Microsoft PostScript Printer Driver
  • Microsoft Printer Drivers
  • Microsoft Windows Codecs Library
  • Office for Android
  • Remote Access Service Point-to-Point Tunneling Protocol
  • Role: DNS Server
  • Role: Windows Hyper-V
  • Service Fabric
  • Visual Studio
  • Windows Accounts Control
  • Windows Bluetooth Service
  • Windows Central Resource Manager
  • Windows Cryptographic Services
  • Windows Defender
  • Windows HTTP Protocol Stack
  • Windows HTTP.sys
  • Windows Internet Key Exchange (IKE) Protocol
  • Windows Kernel
  • Windows Partition Management Driver
  • Windows Point-to-Point Protocol over Ethernet (PPPoE)
  • Windows Remote Procedure Call
  • Windows Remote Procedure Call Runtime
  • Windows Resilient File System (ReFS)
  • Windows Secure Channel
  • Windows SmartScreen
  • Windows TPM
  • Windows Win32K

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s March 2023 Security Update Guide and Deployment Information and apply the necessary updates. Kindly refer to the URLs below:

Microsoft’s March 2023 Security Update Guide : https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar
Deployment Information : https://msrc.microsoft.com/update-guide/deployments

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-909.022023: MyCERT Advisory - Microsoft Releases February 2023 Security Updates

  • 17 Feb 2023
  • Advisory
  • microsoft, february, update

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

This release consists of security updates for the following products, features and roles.

  • .NET and Visual Studio
  • .NET Framework
  • 3D Builder
  • Azure App Service
  • Azure Data Box Gateway
  • Azure DevOps
  • Azure Machine Learning
  • HoloLens
  • Internet Storage Name Service
  • Microsoft Defender for Endpoint
  • Microsoft Defender for IoT
  • Microsoft Dynamics
  • Microsoft Edge (Chromium-based)
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft Office OneNote
  • Microsoft Office Publisher
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft PostScript Printer Driver
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows Codecs Library
  • Power BI
  • SQL Server
  • Visual Studio
  • Windows Active Directory
  • Windows ALPC
  • Windows Common Log File System Driver
  • Windows Cryptographic Services
  • Windows Distributed File System (DFS)
  • Windows Fax and Scan Service
  • Windows HTTP.sys
  • Windows Installer
  • Windows iSCSI
  • Windows Kerberos
  • Windows MSHTML Platform
  • Windows ODBC Driver
  • Windows Protected EAP (PEAP)
  • Windows SChannel
  • Windows Win32K

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s February 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/uscert/ncas/current-activity/2023/02/14/microsoft-releases-february-2023-security-updates

MA-905.012023: MyCERT Advisory - Microsoft Releases January 2023 Security Updates

  • 13 Jan 2023
  • Advisory
  • microsoft, security, update, windows,

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker could exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Various Microsoft products and software are affected including, but not limited to:

  • NET Core
  • 3D Builder
  • Azure Service Fabric Container
  • Microsoft Bluetooth Driver
  • Microsoft Edge (Chromium-based)
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Local Security Authority Server (lsasrv)
  • Microsoft Message Queuing
  • Microsoft Office
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft WDAC OLE DB provider for SQL
  • Visual Studio Code
  • Windows ALPC
  • Windows Ancillary Function Driver for WinSock
  • Windows Authentication Methods
  • Windows Backup Engine
  • Windows Bind Filter Driver
  • Windows BitLocker
  • Windows Boot Manager
  • Windows Credential Manager
  • Windows Cryptographic Services
  • Windows DWM Core Library
  • Windows Error Reporting
  • Windows Event Tracing
  • Windows IKE Extension
  • Windows Installer
  • Windows Internet Key Exchange (IKE) Protocol
  • Windows iSCSI
  • Windows Kernel
  • Windows Layer 2 Tunneling Protocol
  • Windows LDAP - Lightweight Directory Access Protocol
  • Windows Local Security Authority (LSA)
  • Windows Local Session Manager (LSM)
  • Windows Malicious Software Removal Tool
  • Windows Management Instrumentation
  • Windows MSCryptDImportKey
  • Windows NTLM
  • Windows ODBC Driver
  • Windows Overlay Filter
  • Windows Point-to-Point Tunneling Protocol
  • Windows Print Spooler Components
  • Windows Remote Access Service L2TP Driver
  • Windows RPC API
  • Windows Secure Socket Tunneling Protocol (SSTP)
  • Windows Smart Card
  • Windows Task Scheduler
  • Windows Virtual Registry Provider
  • Windows Workstation Service

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s January 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the following URL for more information:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-897.122022: MyCERT Advisory - Microsoft Releases December 2022 Security Updates

  • 15 Dec 2022
  • Advisory
  • microsoft, security, updates

1.0 Introduction

Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
This release consists of security updates for the following products, features and roles.

  • .NET Framework
  • Azure
  • Client Server Run-time Subsystem (CSRSS)
  • Microsoft Bluetooth Driver
  • Microsoft Dynamics
  • Microsoft Edge (Chromium-based)
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft Office OneNote
  • Microsoft Office Outlook
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Windows Codecs Library
  • Role: Windows Hyper-V
  • SysInternals
  • Windows Certificates
  • Windows Contacts
  • Windows DirectX
  • Windows Error Reporting
  • Windows Fax Compose Form
  • Windows HTTP Print Provider
  • Windows Kernel
  • Windows PowerShell
  • Windows Print Spooler Components
  • Windows Projected File System
  • Windows Secure Socket Tunneling Protocol (SSTP)
  • Windows SmartScreen
  • Windows Subsystem for Linux
  • Windows Terminal

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s December 2022 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the following URLs:

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please get in touch with MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-882.102022: MyCERT Alert - Microsoft Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

  • 30 Oct 2022
  • Alert
  • exchange, server, zero day, vulnerability

1.0 Introduction
Two zero-day vulnerabilities affecting Microsoft Exchange Server were reported recently this week. As of writing, Microsoft is already aware of the issue and is working on releasing a fix soon and providing temporary workarounds in the meantime. 

The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. 

2.0 Impact
CVE-2022-41040 can enable an authenticated attacker to trigger CVE-2022-41082 remotely in these attacks. While CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to exploit either of the two vulnerabilities successfully. 

3.0 Affected System and Devices
The affected Microsoft products are Microsoft Exchange Server 2013, 2016, and 2019.

4.0 Recommendations
Users and administrators of the affected Microsoft Exchange products are advised to follow and apply the mitigation steps based on the guide below while waiting for a patch to be released by Microsoft. Microsoft Exchange Online Customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports. 

The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. 

Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains. The steps are as below:

  • Open the IIS Manager. 
  • Expand the Default Web Site. 
  • Select Autodiscover. 
  • In the Feature View, click URL Rewrite. 

  • In the Actions pane on the right-hand side, click Add Rules.  

  • Select Request Blocking and click OK. 

  • Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK. 

  • Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.