Security News > 2022 > September > URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

Just having your Exchange server accessible to email users over the internet is not enough on its own to expose you to attack, because so-called unauthenticated invocation of these bugs is not possible.

According to Microsoft, blocking TCP ports 5985 and 5986 on your Exchange server will limit attackers from chaining from the first vulnerability to the second.

Although attacks might be possible without relying on triggering PowerShell commands, intrusion reports so far seem to suggest that PowerShell execution was a necessary part of the attack.

Block PowerShell Remoting to reduce the risk of RCE. As mentioned above, blocking TCP ports 5985 and 5986 will limit attacks on your Exchange server, according to Microsoft.

If you can perform some sort of endpoint security assessment on each user's device before allowing them to reauthenticate, you will reduce the risk of already-compromised devices being co-opted into launching attacks.

It looks as though the most important things to bear in mind are: [a] the tips and techniques you learned for hunting down ProxyShell attacks are almost certainly going to be helpful here, albeit not the only tools you may need; [b] despite the similarities, this isn't ProxyShell, so your your ProxyShell patches won't protect you from it; and [c] when patches do arrive, assume that they will be reverse engineered back into working exploits very quickly, so don't delay in applying them.

News URL

https://nakedsecurity.sophos.com/2022/09/30/urgent-microsoft-exchange-double-zero-day-like-proxyshell-only-different/