Threat Actor Actively Scanning for Microsoft Exchange Servers Vulnerable to ProxyShell Attacks

A warning has been issued after hackers have been identified scanning for ProxyShell remote code execution vulnerabilities in Microsoft Exchange, following the recent disclosure of technical details of the flaws.

The ProxyShell vulnerabilities consist of three CVEs that can be chained in attacks on Microsoft Exchange servers, which have been assigned the CVEs: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The vulnerabilities were identified by Orange Tsai, the principal researcher at security consulting firm DEVCORE. The flaws can be exploited through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS.

Tsai informed Microsoft about the flaws and patches were released to fix the first two vulnerabilities in April, with the last vulnerability patched by Microsoft in May. Microsoft had quietly patched the flaws and did not disclose details of the vulnerabilities until May and July 2021. Microsoft rated two of the flaws as critical – the privilege escalation vulnerability CVE-2021-34523 and the RCE flaw CVE-2021-34473, with the latter rated as exploitation more likely. The security bypass flaw, CVE-2021-31207, was given a medium severity rating.

Tsai and researchers at DEVCORE demonstrated an exploit for the flaws in the 2021 Pwn2Own hacking contest and earned a $200,000 bug bounty; however, details of the exploit were not publicly disclosed and were only reported to Microsoft. At this year’s Black Hat USA conference, Tsai gave a presentation in which limited details of the exploit were presented, including that the Microsoft Exchange Autodiscover service was targeted. After the presentation, two other researchers wrote a blog post in which they explained how it was possible to reproduce the ProxyShell exploit.

Shortly after publication of the blog post, security researcher Kevin Beaumont’s Microsoft Exchange honeypot was hit. A threat actor had attempted to drop files and execute commands, showing scans are now being actively conducted to identify vulnerable Microsoft Exchange servers.

Tsai said there are approximately 400,000 Microsoft Exchange servers that have been exposed on the Internet. Beaumont said on Twitter that while the patches have been available for months, currently only around 50% of Internet Exposed Microsoft Exchange servers have been patched.

It is imperative for MS Exchange admins to install the latest cumulative updates to fix the vulnerabilities before they are exploited.

Author: NetSec Editor