- Microsoft on Tuesday updated guidance on the URL Rewrite rule, which was designed to help customers prevent future attacks related to two zero-day vulnerabilities found in Exchange Server. The vulnerabilities, confirmed last week by Microsoft, were first identified by Vietnam-based GTSC in August.
- The URL rewrite rule guidance was a mitigation strategy that Microsoft suggested to help organizations block against known attack patterns for customers using Exchange server. However, researchers at GTSC as well as researcher Kevin Beaumont, pointed out flaws in the suggested mitigations that could allow an attacker to bypass the changes.
- “The original mitigations provided by Microsoft were unfortunately easy to maliciously subvert," Dray Agha, senior threatops analyst team lead at Huntress, said via email. “As Kevin noted, those who applied the original mitigations were still vulnerable due to this mitigation bypass."
Microsoft updated mitigation steps for customers after it confirmed disclosures by GTSC about attacks involving the installation of Chopper malware against organizations using on-premises Exchange server 2013, 2016 and 2019.
Microsoft was aware of less than 10 organizations being impacted, but warned of a potential escalation of attacks. The company said the single threat actor was state-sponsored.
Microsoft on Tuesday released URL Rewrite mitigation for Exchange server 2016 and 2019 for customers who have the Exchange Emergency Mitigation Service enabled. Microsoft previously added the feature in a September 2021 update.
To mitigate the vulnerabilities, customers can also run an EOMTv2 script that auto updates internet-connected machines that can be run on Exchange Server when EEMS is not enabled.
It is also an option for customers to go through a series of 10 steps in IIS Manager, which allows a user to request blocking in the URL Rewrite window. Microsoft made changes in steps 6-10, which it highlighted in the instructions.
Until a patch is released, researchers expect additional moves to either test the mitigation steps or get around them with ill intent.
“Unfortunately we are likely to see this become a game of cat and mouse, as adversaries and security researchers alike find new ways to bypass the mitigations from Microsoft,” Agha said.