{"id":21072,"date":"2021-08-22T02:53:07","date_gmt":"2021-08-22T00:53:07","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=21072"},"modified":"2021-08-22T02:53:07","modified_gmt":"2021-08-22T00:53:07","slug":"angriffswelle-fast-2-000-exchange-server-ber-proxyshell-gehackt","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/08\/22\/angriffswelle-fast-2-000-exchange-server-ber-proxyshell-gehackt\/","title":{"rendered":"Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell"},"content":{"rendered":"

\"Sicherheit[German<\/a>]I have been waiting for this for a long time, but now the feared has happened. Since Friday, there has been a massive wave of attacks on unpatched Microsoft Exchange servers via the ProxyShell vulnerability. Huntres has already discovered over 1,900 hacked Exchange servers but which had a shell installed. Meanwhile, CERT-Bund also warns. Here is some information about the state of attack wave.<\/p>\n

<\/p>\n

German CERT-Bund warns of attack wave<\/h2>\n

\"\"I became aware of a wave of attacks on unpatched Microsoft Exchange servers running since Friday on Twitter via various sources. CERT-Bund has meanwhile issued the following warning<\/a>.  <\/p>\n

\"Attacks<\/a><\/p>\n

The HuntressLabs of the security vendor in question discovered more than 140 webshells on more than 1900 unpatched machines running Microsoft Exchange within 48 hours. These 140+ webshells were found on Server 2013\/2016\/2019 versions of on-prem Exchange. It should be noted that most of the webshells are randomly named, but some have recurring patterns. The Exchange servers were infected using the ProxyShell.  Huntress published the blog post Microsoft Exchange Server still vulnerable to ProxyShell Exploit<\/a> exploit as of August 21, 2021, which is continuously updated.<\/p>\n

 \"Exchange<\/a><\/p>\n

Security researcher Kevin Beaumont published this article<\/a> on the topic at DoublePulsar (see also above tweet<\/a>). Other articles can be found at The Record<\/a>, and Bleeping Computer reports here<\/a> that the FileLocker ransomware gang is attacking Exchange servers via ProxyShell exploit. Affected businesses include construction companies, fish processing plants, industrial machinery, auto repair shops, a small airport, and more. <\/p>\n

The ProxyShell vulnerability<\/h2>\n

\"\"Taiwanese security researcher Orange Tsai of the DEVCORE team gave a presentation on Exchange vulnerabilities at BlackHat 2021 in early Augst. He showed how by combining old vulnerabilities (e.g. CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that were closed by updates in April 2021, Microsoft Exchange servers can be attacked and taken over via exploits called ProxyLogon, ProxyOracle and ProxyShell. <\/p>\n

I had written about the vulnerability in the blog post Exchange vulnerabilities: Will we see Hafnium II?<\/a> The recommendation was to update the on-premises Exchange servers to the latest patch level and to make sure that they are not accessible via the Internet (see also Attacks on Exchange Server via ProxyShell vulnerability (8\/13\/2021)<\/a>). Already in the blog post Exchange ProxyLogon News: Patch status, new PoC and new findings (03\/18\/2021)<\/a> I had then pointed out incipient attacks.  <\/p>\n

Similar articles<\/strong>
Exchange server 0-day exploits are actively exploited<\/a>
Important notes from Microsoft regarding the Exchange server security update (March 2021)<\/a>
Exchange isues with ECP\/OWA search after installing security update (March 2021)<\/a>
Exchange Hack News \u2013 Test tools from Microsoft and others<\/a>
Microsoft MSERT helps to scan Exchange Servers<\/a>
Cyber attack on Exchange server of the European Banking Authority<\/a>
Exchange hack: new patches and new findings<\/a>
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875<\/a>
Exchange hack: new victims, new patches, new attacks<\/a>
Update on ProxyLogon hafnium exchange issue (March 12, 2021)<\/a>
Was there a leak at Microsoft in the Exchange mass hack?<\/a>
ProxyLogon hack: Administrator's Repository for affected Exchange systems<\/a>
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released<\/a>
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03\/16\/2021)<\/a>
Exchange ProxyLogon News: Patch status, new PoC and new findings (03\/18\/2021)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]I have been waiting for this for a long time, but now the feared has happened. Since Friday, there has been a massive wave of attacks on unpatched Microsoft Exchange servers via the ProxyShell vulnerability. Huntres has already discovered over … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[71,580,1547,22],"tags":[869,447,69,195],"class_list":["post-21072","post","type-post","status-publish","format-standard","hentry","category-computer","category-security","category-software","category-update","tag-exchange","tag-hack","tag-security","tag-update"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/21072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=21072"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/21072\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=21072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=21072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=21072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}