Exchange administrators can’t rest: After an initial workaround for an actively targeted zero-day vulnerability in Exchange failed to protect properly and Microsoft released an updated set of rules, the vendor once again released an updated rule. Microsoft advises administrators to delete the previously created rule and use a new one.
In the Updated Microsoft Countermeasure Guide the company explains that the new request blocking rule that will be created for automatic detection is the character string .*autodiscover\.json.*Powershell.*
will receive. Admins need to select “Regular Expression” under “Usage” and “Cancel Request” for “How to Block”. What’s new now is to select the newly created rule and click “Edit” under “Conditions”. In the “Input Condition” field, administrators must enter the character string {URL}
in {UrlDecode:{REQUEST_URI}}
change.
Other countermeasures
To better protect against vulnerability attacks, IT administrators should also disable remote access to PowerShell for non-administrators. In the update, Microsoft makes it very clear that administrators must implement both measures, i.e. create the rule and revoke remote access to PowerShell.
For Exchange installations where administrators have enabled Exchange Emergency Mitigation Service (EEMS), Microsoft has now redistributed the updated rule. Administrators do not have to take action here. Without this service, administrators can use the also ported EOMTv2 script with version number 22.10.05.2304 to automatically enter the rule or create the rule completely manually.
Hopefully the current set of rules will work against active attacks without further change and that Microsoft may soon provide a software update that properly closes the security gaps.
also read
(DMK)
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.