Customer Awareness: Microsoft Exchange Servers are being Actively Scanned for ProxyShell

By

Key Points:

  • Last week, a security researcher gave a presentation of MS Exchange vulnerabilities known as ”ProxyShell” at Black Hat USA and DefCon.
  • Two security researchers published proof-of-concept code two days later.
  • Last week, a security researcher Tweeted that his Exchange honeypot was logging suspicious traffic that may be related to scanning of ProxyShell.

Summary

At Black Hat USA and DefCon security conferences, DEVCORE researcher Orange Tsai gave a presentation titled “ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!” (Slides, Video). His presentations discussed three ProxyShell vulnerabilities in Microsoft Exchange Server, CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Microsoft released patches for these vulnerabilities in its April and May Patch Tuesday releases. Not long after Tsai’s presentations, two other researchers published their reproduction of Tsai’s work at Pwn2Own, which included additional technical details and a demonstration to exploit the vulnerability chain (Video).

Tenable states that “By chaining these vulnerabilities, an attacker could execute arbitrary commands on vulnerable Exchange servers on port 443.

On August 6, security researcher Kevin Beaumont posted to his Twitter account, “I may have an update – somebody is accessing /autodiscover/autodiscover.json to access MAPI, and my IIS is writing out files and executing commands.” On August 8, New Zealand’s CERT issued an advisory regarding “Active scanning for Microsoft Exchange Proxyshell vulnerability,” and the Swiss National Cyber Security Center posted to their Twitter account, “We received reports about scanning activities searching for Microsoft Exchange servers vulnerable to ProxyShell. We urge you to apply the corresponding patches IMMEDIATELY (KB5001779 + KB5003435) and check your Exchange server(s) for signs of intrusion!

deepwatch Insights

deepwatch recommends organizations immediately review the current patch levels of Microsoft Exchange Servers in their environment to ensure these systems are up-to-date with security patches (KB5001779 + KB5003435). Additionally, check to ensure the security protection software on these systems are also current and functioning properly to support the defense-in-depth strategy.

Learn more about deepwatch Vulnerability Management services here.

Subscribe to the deepwatch Insider Blog