Your IT Consultant

Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.

Two Zero-Day Vulnerabilities for On-premises Exchange Servers

October 4, 2022

Here we go again. Another reason to be in the cloud. BleepingComputer reported active attacks for on‑premises Microsoft Exchange servers taking advantage of two zero-day flaws. Microsoft posted an advisory with instructions on how to reduce the risk of exploitation by creating a rule in the IIS Manager.

  1. Open the IIS Manager.
  2. Select Default Web Site.
  3. In the** Feature View**, click URL Rewrite.
  4. In the Actions pane on the right-hand side, click Add Rules….
  5. Select** Request Blocking** and click OK.
  6. Add the string “.autodiscover.json.*@.*Powershell.” (excluding quotes) and then click OK.
  7. Expand the rule and select the rule with the pattern “autodiscover.json.*@.*Powershell.” and click Edit under Conditions.
  8. Change the Condition input from {URL} to {REQUEST_URI}

As an alternative, Exchange administrators can also run Microsoft’s updated Exchange On-premises Mitigation Tool to achieve the same results. Even though you should implement the recommended fix, it is still possible for the mitigation to be bypassed. You should also disable remote PowerShell access for non-admin users. An even better solution is to abandon your on-premises Exchange server and move to the cloud with Exchange Online.

Email:   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://senseient.com