11 March 2021

Security researcher shares PoC for Microsoft Exchange ProxyLogon flaws


Security researcher shares PoC for Microsoft Exchange ProxyLogon flaws

A Vietnamese security researcher has released a fully working proof-of concept code (PoC) for a set of vulnerabilities affecting Microsoft Exchange Server collectively called “ProxyLogon” that have been actively exploited by threat actors since the beginning of this year. The technical details of the exploitation chain have been provided in a blog post on Medium.

Several security researchers have already confirmed the validity of the new PoC. It appears that the exploit code combines the CVE-2021–26855 and CVE-2021–27065 vulnerabilities to authenticate on an Exchange server and run malicious code.

“Hafnium Exchange RCE Exploit. I've confirmed there is a public PoC floating around for the full RCE exploit chain. It's has a couple bugs but with some fixes I was able to get shell on my test box,” Marcus Hutchins, a security researcher at CryptoLogic wrote in a tweet.

In an interview with The Record Hutchins said that the PoC “is not usable out of the box, but can be easily adjusted to obtain what security researchers call a “remote code execution” state.”

Last week, Microsoft released the emergency security updates for its Exchange Server enterprise email product to patch four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that have been actively exploited in real-world attacks. At the time, the tech giant attributed the attacks to a China-linked threat actor called Hafnium, which is focused on a number of industry sectors in the US, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs, seeking to steal information.

Following the Microsoft’s disclosure there has been a spike in attacks exploiting the vulnerabilities in MS Exchange. Estimates suggest that at least 60,000 organizations around the globe may have been compromised in the Microsoft Exchange hack.

According to the cybersecurity firm ESET, at least 10 state-sponsored hacking groups focused on cyber-espionage have exploited the flaws in the Exchange Server software in recent days in operations around the world, with many of them known to have ties with China. These include Winnti Group, Tonto Team (aka CactusPete), Mikroceen APT, LuckyMouse, Tick, Calypso, and others.

Back to the list

Latest Posts

Hackers steal over $120 million in crypto from DeFi project BadgerDAO

Hackers steal over $120 million in crypto from DeFi project BadgerDAO

The attackers stole more than 2,100 Bitcoin and 151 Ether from Badger user accounts.
3 December 2021
Hackers actively exploiting critical Zoho ManageEngine ServiceDesk Plus flaw to drop web shells

Hackers actively exploiting critical Zoho ManageEngine ServiceDesk Plus flaw to drop web shells

According to the FBI and CISA, threat actors have been exploiting the bug since late October 2021.
3 December 2021
Former Ubiquiti dev tried to extort his employer posing as a hacker

Former Ubiquiti dev tried to extort his employer posing as a hacker

Nickolas Sharp allegedly stole gigabytes of confidential data from the company and used it to demand nearly $2 million in ransom.
3 December 2021