Posted on August 14, 2021 at 1:56 PM
A recent report revealed that threat actors are scanning and exploiting exchange servers via an unknown exploit chain.
According to the report, the hackers are taking advantage of three sets of flaws that affect on-premises installations. This is coming after the ProxyLogon vulnerabilities were exploited massively at the beginning of the year.
30,000 systems already impacted
According to the security researchers that uncovered the exploitation, about 30,000 machines are already affected by the bugs, and the remote code execution flaws are dubbed “ProxyShell”
SANS Internet Storm Center carried out a scan on the vulnerabilities and discovered that more systems could still be affected.
Richard Warren of NCC Group tweeted about the vulnerabilities, saying that one of the intrusions led to the deployment of “C# aspx webshell in the /aspnet_client/ directory.”
He also stated that the group began noticing wild exploits against the platform’s honeypot infrastructure for the exchange ProxyShell vulnerabilities.
The patch for ProxyLogon was released earlier in Match this year. The vulnerability is represented by CVE-2021-26855, which is a server-side request forgery bug in the Exchange Server. The bug allows a threat actor to have full access to the administrator’s vulnerable server. Once they get hold of the administrative controls, they can combine it with the arbitrary-file-write vulnerability, represented by CVE-2021-27065, to successfully establish code execution.
Threat actors linked to Beijing-sponsored hacking group
The vulnerabilities became noticed and exposed after tech giant Microsoft exposed a Beijing-sponsored hacking syndicate. They used the vulnerabilities to launch repeated attacks on U.S. companies to exfiltrate information. However, at the time, Microsoft referred to the attacks as limited and targeted.
It seems the threat actors are now using a more direct strategy to take advantage of the older vulnerabilities discovered on Microsoft Exchange Servers.
Since Microsoft exposed the Beijing-based threat actors, they have released patches to about six of the flaws. Two of the fixed flaws were known as ProxyOracle, which allows a threat actor to use plaintext format to gain the user’s password.
However, Microsoft is still facing challenges to fix other issues. Three of those issues can be exploited by an attacker by bypassing ACL controls, according to the report. When the threat actors succeed in the exploitation, it could give them certain high privileges on the Exchange PowerShell backend. This can give the attacker effective authentication, leading to remote code execution.
Microsoft admitted that both CVE-2021-34523 and CVE-2021-34473 were unintentionally excluded from the publication until July.
Organizations are advised to install updates
Orange Tsai, a DEVCORE researcher originally disclosed the technical details of the ProxyShell attack chain during the recent DEF CON and Black Hat USA 2021 security conference.
The security researchers have advised users what they should do to prevent exploitation attempts by the threat actors. Organizations have been advised to install updates released by Microsoft as soon as possible.
Microsoft said patches for the following vulnerabilities are available.
The updates have been available since March 13, 2021. Microsoft also warned that organizations that have not applied the updates are at higher risk of being exploited.
Microsoft Exchange Servers suffer repeated attacks
This is not the first time Microsoft Exchange Servers have been vulnerable to attacks. In March this year, about 30,000 U.S-based organizations were impacted by a cyberattack orchestrated by Chinese cyber espionage. The attack affected local governments, towns, and small businesses. The threat actors had a breakthrough via four vulnerabilities in the Microsoft Exchange Server email software, as they stole email from victim organizations.
Then, Microsoft said the exchange servers were targeted by a previously unknown Chinese hacking syndicate dubbed ‘Hafnium.’ According to the tech giant, the group has been carrying out targeted attacks on several email systems used by different organizations from a wide range of industries. These include NGOs, policy think tanks, defense contractors, higher education institutions, law firms, and infectious disease researchers.