23 August 2021

Hackers are actively targeting Microsoft Exchange servers using ProxyShell exploit


Hackers are actively targeting Microsoft Exchange servers using ProxyShell exploit

Threat actors are actively scanning for unpatched Microsoft Exchange servers vulnerable to the latest set of flaws in Exchange software known as “ProxyShell” that were fixed by Microsoft earlier this year.

Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities allow attackers to elevate privileges on the Exchange PowerShell backend and perform unauthenticated, remote code execution.

The attacks targeting vulnerable Exchange servers started soon after proof-of-concept exploit code was published online. According to the security firm Huntress Labs that first detected the attacks, at least five distinct styles of webshells were observed being deployed to vulnerable Microsoft Exchange servers, with over 100 incidents related to the exploit reported in just two days – between August 17 and 18. The researchers said that attackers use the ProxyShell exploit to install a backdoor for later access and post-exploitation.

Huntress Labs’ investigation into the hacked Exchange servers revealed more than 140 different web shells on more than 1,900 Exchange servers.

“Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport and more,” Kyle Hanslovan, CEO and co-founder of Huntress Labs tweeted.

Huntress Labs has shared Indicators of Compromise to help system administrators to determine if their servers are vulnerable to this threat.

Back to the list

Latest Posts

Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024
US seizes 32 domains linked to Russian Doppelganger influence campaign

US seizes 32 domains linked to Russian Doppelganger influence campaign

The domains, used to disseminate propaganda, were seized as part of a broader effort to disrupt Russia’s attempts to interfere in the 2024 US Presidential Election.
5 September 2024