ProxyShell, Squirrelwaffle and a new PoC Exploit, patch your Exchange Server!

Sicherheit (Pexels, allgemeine Nutzung)[German]Currently, I warn about running unpatched Exchange vulnerabilities and ProxyShell attacks almost on a daily basis. A few days ago, Trend Micro issued a warning about attacks against ProxyShell vulnerabilities via the Squirrelwaffle exploit and the takeover of Exchange email mailboxes. As of a few hours ago, another exploit is public as a proof of concept, and exploitation against unpatched Exchange servers is likely. So patch the systems!


The ProxyShell vulnerabilities

Cyber attackers have been using three known and named ProxyShell vulnerabilities in Microsoft's Exchange Server 2013, 2016 and 2019 for months, and updates have been available for them:

  • CVE-2021-34473: A critical remote code execution vulnerability that does not require user action or privilege to exploit;
  • CVE-2021-34523: A privilege escalation vulnerability after authentication;
  • CVE-2021-31207: A post-authentication medium severity flaw that allows attackers to gain administrative access on vulnerable systems.

Microsoft fixed the vulnerabilities in April and May 2021, and also assigned corresponding CVEs in July 2021, as well as released security updates. Since that time, there have been numerous warnings (including here on the blog, see the list of links at the end of the article) that the vulnerabilities have been exploited. In November 2021, security researchers at vendor Mandiant came across approximately 30,000 Exchange servers accessible via the Internet that were unpatched and thus still vulnerable to these attacks. Meanwhile, there is a warning that the ProxyShell vulnerabilities are being abused via new attack variants (see ProxyNoShell: Mandiant warns of new attack methods on Exchange servers (Nov. 2021)).

Trend Micro warns about Squirrelwaffle exploit

Last Friday, Trend Micro (TM) published the article Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains on its blog. The article is about a new exploit for the ProyShell vulnerabilities in Exchange. In September, Squirrelwaffle emerged as a new loader to infect vulnerable Exchange servers via the vulnerabilities. The loader is spread via spam campaigns and is known to send its malicious emails as replies to pre-existing email chains. This is a tactic that lowers victims' protection against malicious activity (recipients trust known senders). 

The TM security researchers believe that the attackers use a chain of ProxyLogon and ProxyShell exploits to accomplish these attacks. The background is that all of the attacks observed and then later investigated by Trend Micro in the Middle East were vulnerable to ProxyLogon and ProxyShell vulnerabilities via Exchange servers hacked via Squirrelwaffle. In their blog post, the security researchers shed more light on these initial access techniques and the early stages of the Squirrelwaffle campaigns – I don't need to go into the details.

New proof of concept exploit

In November 2021, yes, there were more security updates for the latest Exchange CUs, closing a remote code execution vulnerability (see Exchange Server November 2021 Security Updates Close RCE Vulnerability CVE-2021-423). Two weeks later, on Sunday, Nov. 21, 2021, Vietnam-based security researcher Janggggg (@testanull) published a proof of concept Exchange post-auth RCE exploit – see the following tweet.


Exchange PoC

The exploit launches to demo MSPaint on the vulnerable systems running Exchange Server 2016 and 2019. The colleagues at Bleeping Computer published this article on that matter. Microsoft confirms that they are seeing a limited number of attacks via the vulnerabilities. So it's time to double-check your Exchange servers are patched. Can be done with the Exchange Server Health Checker script if necessary.

Similar articles:
Security updates for Exchange Server (July 2021)
Cumulative Exchange CUs June 2021 released
Exchange Server Security Update KB5001779 (April 13, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server: Authentication bypass with ProxyToken
Exchange vulnerabilities: Will we see Hafnium II?
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server September 2021 CU (2021/09/28)
Security updates for Exchange Server (October 2021)
Tianfu Cup 2021: Exchange 2019 and iPhone hacked
Babuk gang uses ProxyShell vulnerability in Exchange for ransomware attacks
Exchange Server November 2021 Security Updates Close RCE Vulnerability CVE-2021-423
CERT warning: Compromised Exchange servers are misused for email attacks (Nov. 2021)
CERT-Federation, USA, GB warns about attacks on Exchange and Fortinet
ProxyNoShell: Mandiant warns of new attack methods on Exchange servers (Nov. 2021)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *