Almost 2,000 Microsoft Exchange email servers have been hacked over the past two days and infected with backdoors after owners did not install patches for a collection of vulnerabilities known as ProxyShell.
The attacks, detected by security firm Huntress Labs, come after proof-of-concept exploit code was published online earlier this month, and scans for vulnerable systems began last week.
What is ProxyShell?
Discovered by Taiwanese security researcher Orange Tsai, ProxyShell is a collection of three different security flaws that can be used to take control of Microsoft Exchange email servers. These include:
- CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.
- CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
- CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of SYSTEM and write arbitrary files.
In the grand scheme of things, ProxyShell is part of a trio of attack chains that Tsai has discovered and put together over the past year since he first began searching for vulnerabilities in Microsoft Exchange servers in mid-2020:
Tsai used the ProxyShell exploit during the Pwn2Own 2021 hacking contest in April this year, where he earned $200,000 for a successful server compromise.
More than 30,400 Exchange servers exposed to attacks
Following his session, details about the exploit were immediately shared with Microsoft, and the company patched the three vulnerabilities in May and July this year.
But just like with the ProxyLogon and ProxyOracle disclosures in March and April this year, not all server administrators rushed to patch vulnerable systems.
A scan performed on August 8 by ISC SANS, two days after the ProxyShell proof-of-concept code was published, found that more than 30,400 Exchange servers from a total of 100,000 systems had yet to be patched and remained vulnerable to attacks.
1,900+ Exchange servers already hacked
Initial exploitation started with scans for vulnerable systems, which then turned into actual attacks over the past weekend, according to honeypot logs collected by security researchers Rich Warren and Kevin Beaumont.
Attacks intensified this week, and even a new ransomware operation known as LockFile began using the ProxyShell exploit as a way to enter corporate networks.
ProxyShell is now being used to drop corporate ransomware (as is PetitPotam), same IP and actor as in this thread. Myself and @buffaloverflow have been watching them. https://t.co/XZbFLTkami— Kevin Beaumont (@GossiTheDog) August 20, 2021
On Friday, security firm Huntress Labs said it scanned Microsoft Exchange servers that have been hacked using ProxyShell and found more than 140 different web shells on more than 1,900 Exchange servers.
“Impacted organizations thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport, and more,” said Kyle Hanslovan, CEO and co-founder of Huntress Labs.
Keep your Exchange servers safe this weekend. @HuntressLabs has seen 140+ webshells across 1900+ unpatched boxes in 48hrs. Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport and more. #ProxyShell pic.twitter.com/clhQ0E5rnR— Kyle Hanslovan (@KyleHanslovan) August 20, 2021
According to indicators of compromise shared by Huntress Labs, some of the web shells installed on hacked servers appear to use the same file name patterns as the web shells used in attacks exploiting the ProxyLogon vulnerabilities earlier this year, suggesting that largely the same threat actors might be involved in the ProxyShell attacks today.
BTW: we already had filename pattern signatures from the HAFNIUM incidents in the rule base to detect most of these shells long before August pic.twitter.com/bpit7EKTRH— Florian Roth (@cyb3rops) August 21, 2021
Making matters worse, earlier this week, a user on a Russian-speaking underground cybercrime forum also published a list of all the 100,000+ internet-accessible Exchange servers, lowering the barrier so even more threat actors can just grab the public exploit and start attacking Exchange servers within minutes.
Readers looking to learn more about the ProxyShell vulnerabilities can read Tsai’s technical report linked above or watch his Def Con talk embedded below.
The post Almost 2,000 Exchange servers hacked using ProxyShell exploit appeared first on The Record by Recorded Future.
Article Link: Almost 2,000 Exchange servers hacked using ProxyShell exploit - The Record by Recorded Future