Almost 2,000 Exchange Servers Hacked using ProxyShell Exploit

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
Almost 2,000 Microsoft Exchange email servers have been hacked over the past two days and infected with backdoors after owners did not install patches for a collection of vulnerabilities known as ProxyShell.

The attacks, detected by security firm Huntress Labs, come after proof-of-concept exploit code was published online earlier this month, and scans for vulnerable systems began last week. On Friday, security firm Huntress Labs said it scanned Microsoft Exchange servers that have been hacked using ProxyShell and found more than 140 different web shells on more than 1,900 Exchange servers. Discovered by Taiwanese security researcher Orange Tsai, ProxyShell is a collection of three different security flaws that can be used to take control of Microsoft Exchange email servers. These include:
  • CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.
  • CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
  • CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of SYSTEM and write arbitrary files.
“Impacted organizations thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport, and more,” said Kyle Hanslovan, CEO and co-founder of Huntress Labs. Making matters worse, earlier this week, a user on a Russian-speaking underground cybercrime forum also published a list of all the 100,000+ internet-accessible Exchange servers, lowering the barrier so even more threat actors can just grab the public exploit and start attacking Exchange servers within minutes.
 

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Microsoft has finally published guidance today for the actively exploited ProxyShell vulnerabilities impacting multiple on-premises Microsoft Exchange versions.
ProxyShell is a collection of three security flaws (patched in April and May) discovered by Devcore security researcher Orange Tsai, who exploited them to compromise a Microsoft Exchange server during the Pwn2Own 2021 hacking contest:
Although Microsoft fully patched the ProxyShell bugs by May 2021, they didn't assign CVE IDs for the vulnerabilities until July, preventing some orgs with unpatched servers from discovering that they had vulnerable systems on their networks.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
New ransomware attack going after vulnerable Microsoft Exchange servers
A new ransomware attack highlights the importance of updating Microsoft Exchange servers
What you need to know
  • A new ransomware attack is targeting vulnerable Microsoft Exchange servers.
  • The attack utilizes the same ProxyShell vulnerability exploits that were seen in the recent LockFile attacks.
  • Microsoft patched these vulnerabilities in May 2021, but attackers have found ways around these fixes.
Yet another group of attackers is targeting vulnerable Microsoft Exchange servers. This time it's a group known as Conti, which is using ProxyShell vulnerabilities to get into corporate networks. News of the attacks comes from Sophos, which was involved in an incident response case (via Bleeping Computer).

ProxyShell refers to three chained Microsoft Exchange vulnerabilities. When exploited, attackers can use it for unauthenticated, remote execution. The vulnerabilities were first discovered by Orange Tsai. The ProxyShell vulnerabilities were also said to be utilized in the recent LockFile attacks.

Microsoft patched the ProxyShell vulnerabilities in May 2021, but researchers and attackers have since been about to reproduce the exploit (via Peter Json). Some organizations have not implemented Microsoft's patch yet, leaving servers vulnerable. Since the technical details of the vulnerabilities have been released, threat actors know how to exploit them on unpatched servers.

The attacks by Conti saw attackers compromise servers and installing tools to gain remote access to devices. The threat actors were then able to steal unencrypted data.

A worrying detail about this attack is the speed at which it was completed. "Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data," says Sophos. "After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer."

The attackers from Conti used an email from "@evil.corp," which raises several red flags.

To keep servers protected, Exchange server admins need to apply Microsoft's most recent cumulative updates.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top