[German]I'm bringing this up again before the weekend, even though the readership of this blog is probably well informed and keeps the Exchange servers up to date with the latest patches. It's Friday the 13th and we're about to hit the weekend. And it looks like the wave of attacks on Microsoft Exchange Servers via the ProxyShell vulnerability is rolling in now. All Exchange Servers still running on the March 2021 patch level and accessible via the Internet are vulnerable to these attacks and can be taken over.
Advertising
The ProxyShell vulnerability
Taiwanese security researcher Orange Tsai of the DEVCORE team gave a presentation on Exchange vulnerabilities at BlackHat 2021 in early August. He showed how by combining old vulnerabilities (e.g. CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that were closed by updates in April 2021, Microsoft Exchange servers can be attacked and taken over via exploits called ProxyLogon, ProxyOracle and ProxyShell.
I had written in the blog post Exchange vulnerabilities: Will we see Hafnium II? reported on this issue. The recommendation was to update the on-premises Exchange servers to the latest patch level and to ensure that they are not accessible via the Internet.
Thousands of unpatched systems, and scans has begun
Already in the blog post Exchange vulnerabilities: Will we see Hafnium II? I mentioned that security researchers were noticing initial attempts to access their Exchange servers acting as honeypots. Colleagues at Bleeping Computer have revisited the issue in this article. Rich Warren of the Red Team at NCC Group Research & Technology points this out in the following tweet.
The security researchers observe the first exploit attempts in the wild against their honeypot infrastructure for the Exchange ProxyShell vulnerabilities. In this attempt, a C# aspx webshell was dropped in the /aspnet_client/ directory.
Advertising
Security researcher Kevin Beaumont also notes that the attack wave is starting, as can be inferred from the following tweets.
In case of a successful attack, a custom web shell is uploaded to the Exchange system, which is then responsible for various activities. Bleeping Computer has been contacted by security researcher Warren and described the situation, including the details, in this article.
Too many unpatched systems
The remedy is to update the Exchange servers to the latest update status, as I also described in the blog post Exchange vulnerabilities: Will we see Hafnium II? The problem is that there are thousands of Exchange servers worldwide that are vulnerable to the ProxyShell vulnerability (see Exchange Server: Update on ProxyShell vulnerabilities).
In the blog post Exchange Server: Update on ProxyShell vulnerabilities I had also provided advice for Exchange administrators. Once there is a ProxyShell checker as Nmap plugin by security researcher Kevin Beaumont. In addition, Florian Roth has extended and modified his ProxyShell Sigma rules for SIEM systems. These now detect attempted and successful attacks.
Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator's Repository for affected Exchange systems
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03/16/2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)
Microsoft Defender automatically mitigates CVE-2021-26855 on Exchange Server
Exchange hack news: What's about risk? (April 1, 2021)
PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?
Exchange vulnerabilities: Will we see Hafnium II?
Exchange Server: Update on ProxyShell vulnerabilities
