Hackers Actively Searching for Unpatched Microsoft Exchange Servers

Cyber Security

Threat actors are actively carrying out opportunistic scanning and exploitation of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.

The remote code execution flaws have been collectively dubbed “ProxyShell.” At least 30,000 machines are affected by the vulnerabilities, according to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.

“Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,” NCC Group’s Richard Warren tweeted, noting that one of the intrusions resulted in the deployment of a “C# aspx webshell in the /aspnet_client/ directory.”

Patched in early March 2021, ProxyLogon is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.

The vulnerabilities came to light after Microsoft spilled the beans on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.

Since then, the Windows maker has fixed six more flaws in its mail server component, two of which are called ProxyOracle, which enables an adversary to recover the user’s password in plaintext format.

Three other issues — known as ProxyShell — could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution. Microsoft noted that both CVE-2021-34473 and CVE-2021-34523 were inadvertently omitted from publication until July.

ProxyLogon:

  • CVE-2021-26855 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)
  • CVE-2021-26857 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)
  • CVE-2021-26858 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)
  • CVE-2021-27065 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)

ProxyOracle:

  • CVE-2021-31195 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on May 11)
  • CVE-2021-31196 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on July 13)

ProxyShell:

  • CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability (Patched on May 11)
  • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on April 13, advisory released on July 13)
  • CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on April 13, advisory released on July 13)

Other:

  • CVE-2021-33768 – Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on July 13)

Originally demonstrated at the Pwn2Own hacking competition this April, technical details of the ProxyShell attack chain were disclosed by DEVCORE researcher Orange Tsai at the Black Hat USA 2021 and DEF CON security conferences last week. To prevent exploitation attempts, organizations are highly recommended to install updates released by Microsoft.