News

Attackers Now Scanning for 'ProxyShell' Vulnerabilities in Exchange Server

• By Kurt Mackie
• 08/13/2021

Recent scanning for a "Critical" remote code execution vulnerability (CVE-2021-34473) in Exchange Server, dubbed "ProxyShell," has been detected by security researchers.

Security researcher and ex-Microsoft employee Kevin Beaumont described seeing an uptick in ProxyShell scanning in this Aug. 9 Twitter post. Later, he stated that an "Exchange ProxyShell exploitation wave has started," in an Aug. 12 Twitter post.

"They're backdooring boxes with webshells that drop other webshells and also executables that periodically call out," Beaumont added in the Aug. 12 post. "Gonna be a cleanup job ahead for admins."

The Webshells were shown to Lawrence Abrams, a writer at BleepingComputer.com, by security researcher Rich Warren, according to this Aug. 12 BleepingComputer.com article.

Last month, Microsoft issued a patch for the CVE-2021-34473 vulnerability, rated 9.1 (out of 10) on the Common Vulnerability Scoring System scale, but organizations likely could be behind in patching Exchange Server. The ProxyShell exploit, though, was publicly described at last week's BlackHat security conference, and it seems attackers are now looking use it.

The ProxyShell vulnerability is actually three chained exploits (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207). Security researcher Orange Tsai of DevCore is credited with the discovery. Orange Tsai had presented the ProxyShell exploit at BlackHat after "responsible disclosure" to Microsoft, he indicated.

ProxyShell and ProxyLogon
A series of zero-day Exchange Server flaws, dubbed "ProxyLogon," were what inspired Orange Tsai's research. ProxyShell branched off from that research, he indicated. Microsoft had issued "out-of-band" fixes for some of those ProxyLogon vulnerabilities back in early March.

However, the ProxyLogon vulnerabilities have opened a new attack surface in Exchange Server, and ProxyLogon was "just the tip of the iceberg," Orange Tsai indicated in an announcement. That announcement is Part 1 of a planned four-part series describing these "new" Exchange Server vulnerabilities.

Microsoft had released "out-of-band" Exchange Server patches in early March after an advanced persistent threat group (APT) was exploiting one of the ProxyLogon vulnerabilities. Orange Tsai, though, explained in his announcement that "even though they used the same SSRF [server-side request forgery], the APT group was exploiting it in a very different way from us."

The ProxyLogon attacks by an APT group, dubbed "Hafnium" by Microsoft, were widespread. In March, Microsoft released indicator of compromise tools to detect possible Webshell activity. In April, the U.S. Federal Bureau of Investigation disclosed that it had deleted Webshells on Hafnium-compromised systems.

Unpatched Exchange Servers
Security researcher Jan Kopriva used Shodan, a search tool that detects devices connected to the Internet, to find "about 30 400 machines affected by the three vulnerabilities" associated with ProxyShell. A chart in Kopriva's SANS Internet Storm Center post showed that most of those Exchange Servers vulnerable to the ProxyShell attack are located in the United States, followed by Germany, the United Kingdom and France.

Abrams was told by security solutions firm Bad Packets that it was seeing ProxyShell scanning of "IP addresses in the USA, Iran and the Netherlands."

Lots of Exchange Server systems aren't patched, according to Orange Tsai, as well as Beaumont, who indicated that "thousands of orgs" haven't applied Exchange Server patches from April and May.