{"id":22253,"date":"2021-11-23T11:12:10","date_gmt":"2021-11-23T10:12:10","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=22253"},"modified":"2022-11-04T11:42:55","modified_gmt":"2022-11-04T10:42:55","slug":"warnung-proxyshell-squirrelwaffle-und-ein-poc-eploit-patcht-endlich-eure-exchange-server","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/11\/23\/warnung-proxyshell-squirrelwaffle-und-ein-poc-eploit-patcht-endlich-eure-exchange-server\/","title":{"rendered":"ProxyShell, Squirrelwaffle and a new PoC Exploit, patch your Exchange Server!"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/2021\/11\/23\/warnung-proxyshell-squirrelwaffle-und-ein-poc-eploit-patcht-endlich-eure-exchange-server\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Currently, I warn about running unpatched Exchange vulnerabilities and ProxyShell attacks almost on a daily basis. A few days ago, Trend Micro issued a warning about attacks against ProxyShell vulnerabilities via the Squirrelwaffle exploit and the takeover of Exchange email mailboxes. As of a few hours ago, another exploit is public as a proof of concept, and exploitation against unpatched Exchange servers is likely. So patch the systems!<\/p>\n<p><!--more--><\/p>\n<h2>The ProxyShell vulnerabilities<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg08.met.vgwort.de\/na\/4cdb663e729b48df82afaaa98d0c4473\" width=\"1\" height=\"1\">Cyber attackers have been using three known and named ProxyShell vulnerabilities in Microsoft's Exchange Server 2013, 2016 and 2019 for months, and updates have been available for them:<\/p>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34473\" target=\"_blank\" rel=\"noopener\">CVE-2021-34473<\/a>: A critical remote code execution vulnerability that does not require user action or privilege to exploit;\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34523\" target=\"_blank\" rel=\"noopener\">CVE-2021-34523<\/a>: A privilege escalation vulnerability after authentication;\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2021-31207\" target=\"_blank\" rel=\"noopener\">CVE-2021-31207<\/a>: A post-authentication medium severity flaw that allows attackers to gain administrative access on vulnerable systems.<\/li>\n<\/ul>\n<p>Microsoft fixed the vulnerabilities in April and May 2021, and also assigned corresponding CVEs in July 2021, as well as released security updates. Since that time, there have been numerous warnings (including here on the blog, see the list of links at the end of the article) that the vulnerabilities have been exploited. In November 2021, security researchers at vendor Mandiant came across approximately 30,000 Exchange servers accessible via the Internet that were unpatched and thus still vulnerable to these attacks. Meanwhile, there is a warning that the ProxyShell vulnerabilities are being abused via new attack variants (see <a href=\"https:\/\/borncity.com\/win\/2021\/11\/20\/proxynoshell-mandiant-warnt-vor-neuen-angriffsmethoden-auf-exchange-server-nov-2021\/\">ProxyNoShell: Mandiant warns of new attack methods on Exchange servers (Nov. 2021)<\/a>).  <\/p>\n<h2>Trend Micro warns about Squirrelwaffle exploit<\/h2>\n<p>Last Friday, Trend Micro (TM) published the article <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\" target=\"_blank\" rel=\"noopener\">Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains<\/a> on its blog. The article is about a new exploit for the ProyShell vulnerabilities in Exchange. In September, Squirrelwaffle emerged as a new loader to infect vulnerable Exchange servers via the vulnerabilities. The loader is spread via spam campaigns and is known to send its malicious emails as replies to pre-existing email chains. This is a tactic that lowers victims' protection against malicious activity (recipients trust known senders).&nbsp; <\/p>\n<p>The TM security researchers believe that the attackers use a chain of ProxyLogon and ProxyShell exploits to accomplish these attacks. The background is that all of the attacks observed and then later investigated by Trend Micro in the Middle East were vulnerable to ProxyLogon and ProxyShell vulnerabilities via Exchange servers hacked via Squirrelwaffle. In their blog post, the security researchers shed more light on these initial access techniques and the early stages of the Squirrelwaffle campaigns &#8211; I don't need to go into the details.<\/p>\n<h2>New proof of concept exploit<\/h2>\n<p>In November 2021, yes, there were more security updates for the latest Exchange CUs, closing a remote code execution vulnerability (see <a href=\"https:\/\/borncity.com\/win\/2021\/11\/10\/exchange-server-november-2021-sicherheitsupdates-schlieen-rce-schwachstelle-cve-2021-423\/\">Exchange Server November 2021 Security Updates Close RCE Vulnerability CVE-2021-423<\/a>). Two weeks later, on Sunday, Nov. 21, 2021, Vietnam-based security researcher Janggggg (@testanull) published a proof of concept Exchange post-auth RCE exploit &#8211; see the following <a href=\"https:\/\/twitter.com\/testanull\/status\/1462363736815988744\" target=\"_blank\" rel=\"noopener\">tweet<\/a>.<\/p>\n<p><a href=\"https:\/\/twitter.com\/testanull\/status\/1462363736815988744\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Exchange PoC\" alt=\"Exchange PoC\" src=\"https:\/\/i.imgur.com\/WGcLXOP.png\"><\/a><\/p>\n<p>The exploit launches to demo MSPaint on the vulnerable systems running Exchange Server 2016 and 2019. The colleagues at Bleeping Computer published <a href=\"https:\/\/web.archive.org\/web\/20220627111231\/https:\/\/www.bleepingcomputer.com\/news\/security\/exploit-released-for-microsoft-exchange-rce-bug-patch-now\/\" target=\"_blank\" rel=\"noopener\">this article<\/a> on that matter. Microsoft confirms that they are seeing a limited number of attacks via the vulnerabilities. So it's time to double-check your Exchange servers are patched. Can be done with the <a href=\"https:\/\/aka.ms\/ExchangeHealthChecker\" target=\"_blank\" rel=\"noopener\">Exchange Server Health Checker<\/a> script if necessary.<\/p>\n<p><strong>Similar articles:<br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2021\/07\/14\/sicherheitsupdates-fr-exchange-server-juli-2021\/\">Security updates for Exchange Server (July 2021)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/06\/29\/kumulative-exchange-updates-juni-2021-verffentlicht\/\">Cumulative Exchange CUs June 2021 released<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/04\/14\/exchange-server-security-update-kb5001779-13-april-2021\/\">Exchange Server Security Update KB5001779 (April 13, 2021)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/03\/06\/exchange-probleme-mit-ecp-nach-sicherheitsupdate-mrz-2021\/\">Exchange isues with ECP\/OWA search after installing security update (March 2021)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/07\/17\/exchange-sicherheitsupdates-von-juli-2021-zerschieen-ecp-und-owa\/\">Exchange security updates from July 2021 breaks ECP and OWA<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/07\/13\/exchange-2016-2019-outlook-probleme-durch-amsi-integration\/\">Exchange 2016\/2019: Outlook problems due to AMSI integration<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/08\/22\/angriffswelle-fast-2-000-exchange-server-ber-proxyshell-gehackt\/\">Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/08\/29\/exchange-server-2016-2019-benutzerdefinierte-attribute-in-ecp-nach-cu-installation-juli-2021-nicht-mehr-aktualisierbar\/\">Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/08\/30\/exchange-server-authentifizierungs-bypass-mit-proxytoken\/\">Exchange Server: Authentication bypass with ProxyToken<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/08\/08\/exchange-schwachstellen-droht-hafnium-ii\/\">Exchange vulnerabilities: Will we see Hafnium II?<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/07\/13\/exchange-2016-2019-outlook-probleme-durch-amsi-integration\/\">Exchange 2016\/2019: Outlook problems due to AMSI integration<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/09\/27\/exchange-server-september-2021-cu-kommt-zum-28-9-2021-mit-microsoft-exchange-emergency-mitigation-service\/\">Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/09\/29\/exchange-server-september-2021-cu-28-9-2021\/\">Exchange Server September 2021 CU (2021\/09\/28)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/10\/13\/sicherheitsupdates-fr-exchange-server-oktober-2021\/\">Security updates for Exchange Server (October 2021)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/10\/17\/tifanu-cup-2021-exchange-2019-und-iphone-gehackt\/\">Tianfu Cup 2021: Exchange 2019 and iPhone hacked<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/11\/06\/babuk-gang-nutzt-proxyshell-schwachstelle-in-exchange-fr-ransomware-angriffe\/\">Babuk gang uses ProxyShell vulnerability in Exchange for ransomware attacks<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/11\/10\/exchange-server-november-2021-sicherheitsupdates-schlieen-rce-schwachstelle-cve-2021-423\/\">Exchange Server November 2021 Security Updates Close RCE Vulnerability CVE-2021-423<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/11\/13\/bsi-cert-warnung-kompromittierte-exchange-server-werden-fr-e-mail-angriffe-missbraucht-nov-2021\/\">CERT warning: Compromised Exchange servers are misused for email attacks (Nov. 2021)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/11\/18\/warnung-cert-bund-usa-gb-vor-angriffen-auf-exchange-und-fortinet\/\">CERT-Federation, USA, GB warns about attacks on Exchange and Fortinet<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/11\/20\/proxynoshell-mandiant-warnt-vor-neuen-angriffsmethoden-auf-exchange-server-nov-2021\/\">ProxyNoShell: Mandiant warns of new attack methods on Exchange servers (Nov. 2021)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Currently, I warn about running unpatched Exchange vulnerabilities and ProxyShell attacks almost on a daily basis. A few days ago, Trend Micro issued a warning about attacks against ProxyShell vulnerabilities via the Squirrelwaffle exploit and the takeover of Exchange email &hellip; <a href=\"https:\/\/borncity.com\/win\/2021\/11\/23\/warnung-proxyshell-squirrelwaffle-und-ein-poc-eploit-patcht-endlich-eure-exchange-server\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1547,22],"tags":[869,69,195],"class_list":["post-22253","post","type-post","status-publish","format-standard","hentry","category-software","category-update","tag-exchange","tag-security","tag-update"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/22253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=22253"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/22253\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=22253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=22253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=22253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}