Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell

Sicherheit (Pexels, allgemeine Nutzung)[German]I have been waiting for this for a long time, but now the feared has happened. Since Friday, there has been a massive wave of attacks on unpatched Microsoft Exchange servers via the ProxyShell vulnerability. Huntres has already discovered over 1,900 hacked Exchange servers but which had a shell installed. Meanwhile, CERT-Bund also warns. Here is some information about the state of attack wave.


Advertising

German CERT-Bund warns of attack wave

I became aware of a wave of attacks on unpatched Microsoft Exchange servers running since Friday on Twitter via various sources. CERT-Bund has meanwhile issued the following warning

Attacks on Exchange Server via ProxyShell

The HuntressLabs of the security vendor in question discovered more than 140 webshells on more than 1900 unpatched machines running Microsoft Exchange within 48 hours. These 140+ webshells were found on Server 2013/2016/2019 versions of on-prem Exchange. It should be noted that most of the webshells are randomly named, but some have recurring patterns. The Exchange servers were infected using the ProxyShell.  Huntress published the blog post Microsoft Exchange Server still vulnerable to ProxyShell Exploit exploit as of August 21, 2021, which is continuously updated.

 Exchange attack via Proxy Shell

Security researcher Kevin Beaumont published this article on the topic at DoublePulsar (see also above tweet). Other articles can be found at The Record, and Bleeping Computer reports here that the FileLocker ransomware gang is attacking Exchange servers via ProxyShell exploit. Affected businesses include construction companies, fish processing plants, industrial machinery, auto repair shops, a small airport, and more.


Advertising

The ProxyShell vulnerability

Taiwanese security researcher Orange Tsai of the DEVCORE team gave a presentation on Exchange vulnerabilities at BlackHat 2021 in early Augst. He showed how by combining old vulnerabilities (e.g. CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that were closed by updates in April 2021, Microsoft Exchange servers can be attacked and taken over via exploits called ProxyLogon, ProxyOracle and ProxyShell.

I had written about the vulnerability in the blog post Exchange vulnerabilities: Will we see Hafnium II? The recommendation was to update the on-premises Exchange servers to the latest patch level and to make sure that they are not accessible via the Internet (see also Attacks on Exchange Server via ProxyShell vulnerability (8/13/2021)). Already in the blog post Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021) I had then pointed out incipient attacks. 

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator's Repository for affected Exchange systems
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03/16/2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)


Advertising

This entry was posted in computer, Security, Software, Update and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).