[German]Unknown thread actors are scanning the Internet for Microsoft Exchange servers that are updated to March 2021 and are not protected against the ProxyLogon vulnerability. CERT-Bund warns, and calls for patching. Meanwhile, there are advanced Sigma rules for administrators to defend against attacks. And there is a script that administrators can use to check whether their own Exchange servers are vulnerable. Below I have summarized some information around this topic.
Advertising
Old vulnerabilities, new attack scenarios
Taiwanese security researcher Orange Tsai from the DEVCORE team gave a presentation on Exchange vulnerabilities at BlackHat 2021 last week. In it, he showed how by combining old vulnerabilities (e.g., CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that were closed by updates in April 2021, Microsoft Exchange servers can be attacked and taken over via exploits called ProxyLogon, ProxyOracle, and ProxyShell. Since that presentation at BlackHat 2021, security researchers have noted that their Exchange servers acting as honeypots are being actively scanned by attackers for unclosed vulnerabilities.
I had already blogged a few days ago about that in the blog post Exchange vulnerabilities: Will we see Hafnium II?. The recommendation was to update the on-premises Exchange servers to the latest patch level and to make sure that they are not accessible via the Internet. In the blog post, I also pointed out that there are thousands of Exchange servers in USA and Europe, that are not patched.
Warning from CERTs
In the meantime, several CERTs has taken up the issue and warns in the following tweet about the security vulnerabilities mentioned above.
Jan Kopriva from SANS Institute has tried to find out how many servers might be affected by ProxyShell attack and vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 via the search engine Shodan and are accessible via the Internet. The results from the following tweet, or from this article, are devastating.
Advertising
In USA are more than 8.000 vulnerable Exchange Server reachable via Internet erreichen and has vulnerability CVE-2021-34473 unpatched.
ProxyShell checker as Nmap plugin
Security researcher Kevin Beaumont, who also runs the attacked Exchange honeypot, has written a ProxyShell Checker on the fly and made it available on his GitHub page.
The scanner is implemented as an Nmap plugin. Nmap ("Network Mapper") is a free and open source (licensed) network detection and security scanning utility.
Sigma rules for ProxyShell attacks
Florian Roth points out in the following tweet that he has extended and modified the ProxyShell Sigma rules (see also) for SIEM systems with the help of @buffaloverflow. The rules now distinguish between attempted and successful exploitation.
Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator's Repository for affected Exchange systems
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03/16/2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)
Microsoft Defender automatically mitigates CVE-2021-26855 on Exchange Server
Exchange hack news: What's about risk? (April 1, 2021)
PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?
Exchange vulnerabilities: Will we see Hafnium II?
