Until it is determined whether this attack can be relayed via WebDAV (i.e., via HTTP through your firewall even if it's blocking SMB), I would also disable the "Web Client" service on your Exchange server. /cc @wdormannhttps://twitter.com/certcc/status/1089570070693642240 …
The documented EWS PushSubscriptionRequest() function allows an Exchange mailbox owner to cause the Exchange server to make an HTTP request to an arbitrary web server. And it happens to attempt NTLM authentication while at it.
-
-
So the subscription request is originally HTTP with authentication? Not SMB?
-
Yes. See these screenshots of Exchange 2010 traffic vs. Exchange 2013. All the magic is happening over HTTP, as that's what the exploit's call to PushSubscriptionRequest() tells the Exchange server to connect to. Note the difference between the sign/seal flags and wonder...pic.twitter.com/uAQ4YSEoKo
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.