Almost 2,000 Exchange servers hacked using ProxyShell exploit
Almost 2,000 Microsoft Exchange email servers have been hacked over the past two days and infected with backdoors after owners did not install patches for a collection of vulnerabilities known as ProxyShell.
The attacks, detected by security firm Huntress Labs, come after proof-of-concept exploit code was published online earlier this month, and scans for vulnerable systems began last week.
What is ProxyShell?
Discovered by Taiwanese security researcher Orange Tsai, ProxyShell is a collection of three different security flaws that can be used to take control of Microsoft Exchange email servers. These include:
- CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.
- CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
- CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of SYSTEM and write arbitrary files.
In the grand scheme of things, ProxyShell is part of a trio of attack chains that Tsai has discovered and put together over the past year since he first began searching for vulnerabilities in Microsoft Exchange servers in mid-2020:
Tsai used the ProxyShell exploit during the Pwn2Own 2021 hacking contest in April this year, where he earned $200,000 for a successful server compromise.
More than 30,400 Exchange servers exposed to attacks
Following his session, details about the exploit were immediately shared with Microsoft, and the company patched the three vulnerabilities in May and July this year.
But just like with the ProxyLogon and ProxyOracle disclosures in March and April this year, not all server administrators rushed to patch vulnerable systems.
A scan performed on August 8 by ISC SANS, two days after the ProxyShell proof-of-concept code was published, found that more than 30,400 Exchange servers from a total of 100,000 systems had yet to be patched and remained vulnerable to attacks.
1,900+ Exchange servers already hacked
Initial exploitation started with scans for vulnerable systems, which then turned into actual attacks over the past weekend, according to honeypot logs collected by security researchers Rich Warren and Kevin Beaumont.
Attacks intensified this week, and even a new ransomware operation known as LockFile began using the ProxyShell exploit as a way to enter corporate networks.
On Friday, security firm Huntress Labs said it scanned Microsoft Exchange servers that have been hacked using ProxyShell and found more than 140 different web shells on more than 1,900 Exchange servers.
“Impacted organizations thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport, and more,” said Kyle Hanslovan, CEO and co-founder of Huntress Labs.
Making matters worse, earlier this week, a user on a Russian-speaking underground cybercrime forum also published a list of all the 100,000+ internet-accessible Exchange servers, lowering the barrier so even more threat actors can just grab the public exploit and start attacking Exchange servers within minutes.
To help system administrators investigate their Exchange servers, Huntress Labs has released indicators of compromise (IOCs).
Readers looking to learn more about the ProxyShell vulnerabilities can read Tsai’s technical report linked above or watch his Def Con talk.