A few months ago, when the ProxyLogon vulnerabilities were disclosed in Microsoft Exchange Servers, a large number of attackers had started using it for launching thousands of attack attempts within a short duration. And yet again, another set of vulnerabilities—ProxyShell—is under attack within a short duration of its revelation.
What has been discovered
Cybersecurity researcher Kevin Beaumont identified that a threat actor is actively trying to exploit Microsoft Exchange installs by targeting ProxyShell vulnerabilities. ProxyShell was revealed by security researcher Orange Tsai from Devcore and presented during the Black Hat USA 2021.
The newly discovered vulnerabilities in Microsoft Exchange servers can be exploited via the Client Access Service (CAS), which runs in IIS on port 443.
The attack chain targeted several components of Exchange Servers, such as the Autodiscover service and Exchange PowerShell backend.
Moreover, attackers have been making further adjustments and fine-tuning their attack exploit based on further revelations made by Tsai.
For instance, the attacker was observed using a new request to scan for the vulnerable exchange servers via an auto-discovery feature that was recently disclosed.
Detection tips: The presence of the strings /autodiscover/autodiscover.json or /mapi/nspi/ in the IIS logs may indicate an active probe of the ProxyShell vulnerabilities.
ProxyShell is the name given to a set of three vulnerabilities in Microsoft Exchange Servers. It includes the following three vulnerabilities:
CVE-2021-34473 - a remote code execution vulnerability. In this, a pre-auth path confusion can lead to ACL Bypass. This was patched (KB5001779) in April.
CVE-2021-34523 - an elevation of privilege vulnerability in Exchange PowerShell Backend. It was patched (KB5001779) in April.
CVE-2021-31207 - Security Feature Bypass Vulnerability in Exchange server. In this, a post-auth arbitrary file write may lead to RCE. It was patched (KB5003435) in May.
Attackers keep scanning for such vulnerabilities and loose ends may allow them to enter company networks. Their keen interest in Microsoft Exchange Server makes it important for all organizations to put proactive defense measures in place. Therefore, experts recommend applying all the patches as early as possible and using additional layers of security such as endpoint threat detection.