9 August 2021

Hackers actively scanning for Microsoft Exchange servers with ProxyShell vulnerabilities


Hackers actively scanning for Microsoft Exchange servers with ProxyShell vulnerabilities

Threat actors are actively searching for the Microsoft Exchange ProxyShell critical vulnerabilities. The attacks began after cybersecurity researchers showed technical details of these problems at the Black Hat conference.

ProxyShell attacks involve the exploitation of three vulnerabilities that allows unauthenticated hackers to perform remote code execution on Microsoft Exchange servers. Vulnerabilities are exploited remotely through Microsoft Exchange's Client Access Service (CAS) running on port 443 in IIS.

The three ProxyShell vulnerabilities are CVE-2021-34473 (Pre-auth Path Confusion leads to ACL Bypass), CVE-2021-34523 (Elevation of Privilege on Exchange PowerShell Backend) and CVE-2021-31207 (Post-auth Arbitrary-File-Write leads to RCE). CVE-2021-34473 and CVE-2021-34523 were disclosed in July, but these problems were fixed earlier, in April's Microsoft Exchange KB5001779 cumulative update.

Security researcher Orange Tsai told at Black Hat about recent Microsoft Exchange vulnerabilities he discovered when targeting the Microsoft Exchange Client Access Service (CAS) attack surface. One of the parts of the ProxyShell attacks targets the Microsoft Exchange Autodiscover service, which helps mail client software to auto-configure itself with minimal interactions with the user.

Security researchers PeterJson and Jang published technical information about the successful reproduce of the ProxyShell exploit. Later researcher Kevin Beaumont told about hackers, that tried to attack his Microsoft Exchange honeypot against the server's Autodiscover service. Initial attempts failed, but then more details about the vulnerabilities were disclosed and attackers modified their scans to use the new Autodiscover URL. Accessing the URL will cause the ASP.NET worker process (w3wp.exe) to compile a web application.

It is highly recommended for administrators to use Azure Sentinel to check IIS logs for the "/autodiscover/autodiscover.json" or "/mapi/nspi/" strings. If they will find a targeted Autodiscover URL, it means that threat actors were looking for the vulnerable server. Microsoft Exchange admins must install the latest cumulative updates to protect systems from these vulnerabilities.

There are currently 400,000 Microsoft Exchange servers exposed on the Internet, so there are bound to be successful attacks.

Back to the list

Latest Posts

Void Arachne targets Chinese-speaking users with Winos backdoor

Void Arachne targets Chinese-speaking users with Winos backdoor

The campaign uses SEO poisoning and disseminates malware via social media and messaging platforms.
19 June 2024
AMD investigates potential cyberattack following claims of data breach

AMD investigates potential cyberattack following claims of data breach

The stolen data allegedly includes sensitive information about AMD's future products employee databases, and customer databases.
19 June 2024
Police shut down online infrastructure used by terrorists for communication and propaganda

Police shut down online infrastructure used by terrorists for communication and propaganda

The websites and communication channels had a global reach, spreading directives and slogans of the Islamic State in over 30 languages.
19 June 2024