ProxyNoShell: Mandiant warns of new attack methods on Exchange servers (Nov. 2021)

Sicherheit (Pexels, allgemeine Nutzung)[German]Cyber attackers have been using three known vulnerabilities in Microsoft's Exchange Servers for months, for which updates have been available for months. Despite this, there are around 30,000 Microsoft Exchange Servers accessible via the Internet that are vulnerable to attack via these vulnerabilities. Security researchers have now issued a warning because cyber criminals have changed their tactics to attack systems and install hard-to-detect WebShells there by exploiting three vulnerabilities in on-premises Microsoft Exchange servers, grouped under the name ProxyShell.


The ProxyShell vulnerabilities

ProxyShell  is a combination of three vulnerabilities in Microsoft Exchange Server:

  • CVE-2021-34473: A critical remote code execution vulnerability that does not require user action or privilege to exploit;
  • CVE-2021-34523: A post-authentication elevation of privilege vulnerability;
  • CVE-2021-31207: A post-authentication medium severity flaw that allows attackers to gain administrative access on vulnerable systems.

Exchange Server 2013, 2016 and 2019 are vulnerable, but security updates are available. Microsoft fixed the vulnerabilities in April and May, and also assigned corresponding CVEs in July 2021. The security updates in question were released at the same time. In addition, there have been numerous warnings in the meantime that the security vulnerabilities have been exploited.

The issue should have been in the clear in the meantime. But in November 2021, security researchers from the provider Mandiant came across around 30,000 Exchange servers that are accessible via the Internet, which are not patched and are therefore still vulnerable to these attacks.

New ProxyShell Attack Tactics

Now, security researchers at Mandiant have recently observed new attack tactics for exploiting ProxyShell vulnerabilities, and the days published the blog post ProxyNoShell: A Change in Tactics Exploiting ProxyShell Vulnerabilities. I came across this report via the following tweet.

A Change in Tactics Exploiting ProxyShell Vulnerabilities in Exchange Server


This may be a response by cyber criminals to the fact that antivirus and endpoint detection and response (EDR) vendors have been quick to develop detection capabilities for Web shells created via mailbox export. Mandiant's Joshua Goddard says that likely prompted the attackers to look for new ways to attack unpatched Exchange Server systems via the ProxyShell vulnerabilities. 

In several recent incident response deployments, Mandiant observed threat actors exploiting the vulnerabilities in different ways than previously known.

  • Previously, mailbox exports and exploitation of the first two vulnerabilities in the exploit chain were used to install a WebShell.
  • Now, WebShells are installed on vulnerable target systems via the export of Exchange certificate requests.

Once a WebShell is successfully installed, the attackers can use remote PowerShell to create new mailboxes, assign them privileged access to other mailboxes, and then access them via Outlook Web Access (OWA). Mandiant has therefore decided to make these changes in tactics public. This is because the previously published detection and response instructions focused exclusively on web shells originating from the mailbox export.

The Mandiant blog post details the recent attack paths used to install WebShells and compromise Exchange mailboxes. Just a few days ago, in the blog post CERT-Federation, USA, GB warns about attacks on Exchange and Fortinet, I published a warning from the BSI about compromised Exchange servers being abused for email attacks. Mandiant's blog post provides guidance on how to both monitor and scan Exchange servers for successful compromise. Perhaps the advice will be helpful to Exchange administrators.

Similar articles:
Security updates for Exchange Server (July 2021)
Cumulative Exchange CUs June 2021 released
Exchange Server Security Update KB5001779 (April 13, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server: Authentication bypass with ProxyToken
Exchange vulnerabilities: Will we see Hafnium II?
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server September 2021 CU (2021/09/28)
Security updates for Exchange Server (October 2021)
Tianfu Cup 2021: Exchange 2019 and iPhone hacked
Babuk gang uses ProxyShell vulnerability in Exchange for ransomware attacks
Exchange Server November 2021 Security Updates Close RCE Vulnerability CVE-2021-423
CERT warning: Compromised Exchange servers are misused for email attacks (Nov. 2021)
CERT-Federation, USA, GB warns about attacks on Exchange and Fortinet

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *