Hackers Actively Searching for Unpatched Microsoft Exchange Servers

Threat actors are actively carrying out opportunistic scanning^[1]
and exploitation^[2]
of Exchange servers using a new exploit chain leveraging a trio of
flaws affecting on-premises installations, making them the latest
set of bugs after ProxyLogon vulnerabilities were exploited en
masse at the start of the year.

The remote code execution flaws have been collectively dubbed
“ProxyShell.” At least 30,000 machines are affected by the
vulnerabilities, according^[3]
to a Shodan scan performed by Jan Kopriva of SANS Internet Storm
Center.

“Started to see in the wild exploit attempts against our
honeypot infrastructure for the Exchange ProxyShell
vulnerabilities,” NCC Group’s Richard Warren tweeted^[4], noting that one of the
intrusions resulted in the deployment of a “C# aspx webshell in the
/aspnet_client/ directory.”

Patched in early March 2021, ProxyLogon^[5]
is the moniker for CVE-2021-26855, a server-side request forgery
vulnerability in Exchange Server that permits an attacker to take
control of a vulnerable server as an administrator, and which can
be chained with another post-authentication arbitrary-file-write
vulnerability, CVE-2021-27065, to achieve code execution.

The vulnerabilities came to light after Microsoft spilled the beans^[6]
on a Beijing-sponsored hacking operation that leveraged the
weaknesses to strike entities in the U.S. for purposes of
exfiltrating information in what the company described as limited
and targeted attacks.

Since then, the Windows maker has fixed six more flaws in its
mail server component, two of which are called ProxyOracle^[7], which enables an
adversary to recover the user’s password in plaintext format.

Three other issues — known as ProxyShell — could be abused to
bypass ACL controls, elevate privileges on Exchange PowerShell
backend, effectively authenticating the attacker and allowing for
remote code execution. Microsoft noted that both CVE-2021-34473 and
CVE-2021-34523 were inadvertently omitted from publication until
July.

ProxyLogon:

• CVE-2021-26855^[8] – Microsoft Exchange
  Server Remote Code Execution Vulnerability (Patched on March
  2)
• CVE-2021-26857^[9] – Microsoft Exchange
  Server Remote Code Execution Vulnerability (Patched on March
  2)
• CVE-2021-26858^[10] – Microsoft Exchange
  Server Remote Code Execution Vulnerability (Patched on March
  2)
• CVE-2021-27065^[11] – Microsoft Exchange
  Server Remote Code Execution Vulnerability (Patched on March
  2)

ProxyOracle:

• CVE-2021-31195^[12] – Microsoft Exchange
  Server Remote Code Execution Vulnerability (Patched on May 11)
• CVE-2021-31196^[13] – Microsoft Exchange
  Server Remote Code Execution Vulnerability (Patched on July
  13)

ProxyShell:

• CVE-2021-31207^[14] – Microsoft Exchange
  Server Security Feature Bypass Vulnerability (Patched on May
  11)
• CVE-2021-34473^[15] – Microsoft Exchange
  Server Remote Code Execution Vulnerability (Patched on April 13,
  advisory released on July 13)
• CVE-2021-34523^[16] – Microsoft Exchange
  Server Elevation of Privilege Vulnerability (Patched on April 13,
  advisory released on July 13)

Other:

• CVE-2021-33768^[17] – Microsoft Exchange
  Server Elevation of Privilege Vulnerability (Patched on July
  13)

Originally demonstrated at the Pwn2Own hacking competition^[18] this April, technical
details of the ProxyShell attack chain were disclosed by DEVCORE
researcher Orange Tsai at the Black Hat USA 2021^[19] and DEF CON^[20] security conferences
last week. To prevent exploitation attempts, organizations are
highly recommended to install updates released by Microsoft.