[TheRecord] Almost 2,000 Exchange servers hacked using ProxyShell exploit

Almost 2,000 Microsoft Exchange email servers have been hacked over the past two days and infected with backdoors after owners did not install patches for a collection of vulnerabilities known as ProxyShell.

The attacks, detected by security firm Huntress Labs, come after proof-of-concept exploit code was published online earlier this month, and scans for vulnerable systems began last week.

What is ProxyShell?

Discovered by Taiwanese security researcher Orange Tsai, ProxyShell is a collection of three different security flaws that can be used to take control of Microsoft Exchange email servers. These include:

CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of SYSTEM and write arbitrary files.

In the grand scheme of things, ProxyShell is part of a trio of attack chains that Tsai has discovered and put together over the past year since he first began searching for vulnerabilities in Microsoft Exchange servers in mid-2020:


Tsai used the ProxyShell exploit during the Pwn2Own 2021 hacking contest in April this year, where he earned $200,000 for a successful server compromise.

More than 30,400 Exchange servers exposed to attacks

Following his session, details about the exploit were immediately shared with Microsoft, and the company patched the three vulnerabilities in May and July this year.

But just like with the ProxyLogon and ProxyOracle disclosures in March and April this year, not all server administrators rushed to patch vulnerable systems.

A scan performed on August 8 by ISC SANS, two days after the ProxyShell proof-of-concept code was published, found that more than 30,400 Exchange servers from a total of 100,000 systems had yet to be patched and remained vulnerable to attacks.

1,900+ Exchange servers already hacked

Initial exploitation started with scans for vulnerable systems, which then turned into actual attacks over the past weekend, according to honeypot logs collected by security researchers Rich Warren and Kevin Beaumont.

Attacks intensified this week, and even a new ransomware operation known as LockFile began using the ProxyShell exploit as a way to enter corporate networks.

ProxyShell is now being used to drop corporate ransomware (as is PetitPotam), same IP and actor as in this thread. Myself and @buffaloverflow have been watching them. https://t.co/XZbFLTkami

— Kevin Beaumont (@GossiTheDog) August 20, 2021

On Friday, security firm Huntress Labs said it scanned Microsoft Exchange servers that have been hacked using ProxyShell and found more than 140 different web shells on more than 1,900 Exchange servers.

“Impacted organizations thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport, and more,” said Kyle Hanslovan, CEO and co-founder of Huntress Labs.

Keep your Exchange servers safe this weekend. @HuntressLabs has seen 140+ webshells across 1900+ unpatched boxes in 48hrs. Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport and more. #ProxyShell pic.twitter.com/clhQ0E5rnR

— Kyle Hanslovan (@KyleHanslovan) August 20, 2021

According to indicators of compromise shared by Huntress Labs, some of the web shells installed on hacked servers appear to use the same file name patterns as the web shells used in attacks exploiting the ProxyLogon vulnerabilities earlier this year, suggesting that largely the same threat actors might be involved in the ProxyShell attacks today.

BTW: we already had filename pattern signatures from the HAFNIUM incidents in the rule base to detect most of these shells long before August pic.twitter.com/bpit7EKTRH

— Florian Roth (@cyb3rops) August 21, 2021

Making matters worse, earlier this week, a user on a Russian-speaking underground cybercrime forum also published a list of all the 100,000+ internet-accessible Exchange servers, lowering the barrier so even more threat actors can just grab the public exploit and start attacking Exchange servers within minutes.

Image: The Record

Readers looking to learn more about the ProxyShell vulnerabilities can read Tsai’s technical report linked above or watch his Def Con talk embedded below.

The post Almost 2,000 Exchange servers hacked using ProxyShell exploit appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Ransomware Risk Assessment Service Aims to Deflect Attacks

All posts, Security Week

The function of cybersecurity is not to eliminate all attacks and compromises – that’s impossible – but to make the attack so expensive and time-consuming on the attacker that he simply moves on to an easier target. That is the purpose of a new product/service designed to make commodity ransomware attacks less easy for the […]

Read More

[BleepingComputer] NVIDIA is dropping support for Windows 7 and Windows 8 drivers

NVIDIA is dropping support for Windows 7, Windows 8, and Windows 8.1 drivers starting in October. 2021, as they focus on supporting Windows 10 and later versions of Windows. […] Source: Read More (BleepingComputer)

Read More

[SANS ISC] Is this the Weirdest Phishing (SMishing?) Attempt Ever?, (Tue, Aug 3rd)

All posts, Sans-ISC

I hope this doesn’t work… no comment otherwise. — Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter| (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.