Almost 2,000 Exchange Servers Hacked using ProxyShell Exploit

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,441
Almost 2,000 Microsoft Exchange email servers have been hacked over the past two days and infected with backdoors after owners did not install patches for a collection of vulnerabilities known as ProxyShell.

The attacks, detected by security firm Huntress Labs, come after proof-of-concept exploit code was published online earlier this month, and scans for vulnerable systems began last week. On Friday, security firm Huntress Labs said it scanned Microsoft Exchange servers that have been hacked using ProxyShell and found more than 140 different web shells on more than 1,900 Exchange servers. Discovered by Taiwanese security researcher Orange Tsai, ProxyShell is a collection of three different security flaws that can be used to take control of Microsoft Exchange email servers. These include:
  • CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.
  • CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
  • CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of SYSTEM and write arbitrary files.
“Impacted organizations thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport, and more,” said Kyle Hanslovan, CEO and co-founder of Huntress Labs. Making matters worse, earlier this week, a user on a Russian-speaking underground cybercrime forum also published a list of all the 100,000+ internet-accessible Exchange servers, lowering the barrier so even more threat actors can just grab the public exploit and start attacking Exchange servers within minutes.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,441

 

CyberTech

Level 36
Verified
Nov 10, 2017
2,501
Microsoft has finally published guidance today for the actively exploited ProxyShell vulnerabilities impacting multiple on-premises Microsoft Exchange versions.
ProxyShell is a collection of three security flaws (patched in April and May) discovered by Devcore security researcher Orange Tsai, who exploited them to compromise a Microsoft Exchange server during the Pwn2Own 2021 hacking contest:
Although Microsoft fully patched the ProxyShell bugs by May 2021, they didn't assign CVE IDs for the vulnerabilities until July, preventing some orgs with unpatched servers from discovering that they had vulnerable systems on their networks.
 

Gandalf_The_Grey

Level 51
Verified
Trusted
Content Creator
Apr 24, 2016
4,011
New ransomware attack going after vulnerable Microsoft Exchange servers
A new ransomware attack highlights the importance of updating Microsoft Exchange servers
What you need to know
  • A new ransomware attack is targeting vulnerable Microsoft Exchange servers.
  • The attack utilizes the same ProxyShell vulnerability exploits that were seen in the recent LockFile attacks.
  • Microsoft patched these vulnerabilities in May 2021, but attackers have found ways around these fixes.
Yet another group of attackers is targeting vulnerable Microsoft Exchange servers. This time it's a group known as Conti, which is using ProxyShell vulnerabilities to get into corporate networks. News of the attacks comes from Sophos, which was involved in an incident response case (via Bleeping Computer).

ProxyShell refers to three chained Microsoft Exchange vulnerabilities. When exploited, attackers can use it for unauthenticated, remote execution. The vulnerabilities were first discovered by Orange Tsai. The ProxyShell vulnerabilities were also said to be utilized in the recent LockFile attacks.

Microsoft patched the ProxyShell vulnerabilities in May 2021, but researchers and attackers have since been about to reproduce the exploit (via Peter Json). Some organizations have not implemented Microsoft's patch yet, leaving servers vulnerable. Since the technical details of the vulnerabilities have been released, threat actors know how to exploit them on unpatched servers.

The attacks by Conti saw attackers compromise servers and installing tools to gain remote access to devices. The threat actors were then able to steal unencrypted data.

A worrying detail about this attack is the speed at which it was completed. "Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data," says Sophos. "After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer."

The attackers from Conti used an email from "@evil.corp," which raises several red flags.

To keep servers protected, Exchange server admins need to apply Microsoft's most recent cumulative updates.
 
Top