It took a little less than ten days before the cybercriminals seized it: during the Blackhat conference which took place at the beginning of the month, the researcher Orange Tsai unveiled details of new security vulnerabilities affecting on-premises versions of Exchange, based on principles similar to the ProxyLogon flaws he discovered and reported in March. Called ProxyOracle and ProxyShell, these flaws were corrected by Microsoft in various patches released between April and July.
Among them, the ProxyShell attack was the one with the most impact: it exploits three vulnerabilities in Exchange servers allowing to take remote control of the server and to execute code on the machine. The three vulnerabilities affected are CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. These were discovered by researcher Orange Tsai, who revealed them to Microsoft during the 2021 edition of the Pwn2Own competition.
From scan to operation
Shortly after the release of technical details regarding the exploitation of these flaws, researcher Kevin Beaumont indicated on Twitter that his honeypots had detected the first scan attempts from people who wanted to identify machines vulnerable to this attack.
A finding confirmed by the CERTFR teams, who published a notice yesterday regarding this new attack indicating that “CERT-FR is aware of active Internet research campaigns targeting Exchange servers for these vulnerabilities. The CERTFR bulletin also indicates that proofs of concept are publicly available for parts of the chain of operations and that many Exchange servers are vulnerable. CERTFR therefore invites administrators to quickly correct these vulnerabilities.
As BleepingComputer reveals, cybercriminals have now stepped up a gear and actively exploit the security hole to compromise vulnerable Exchange servers to install a web shell, which can then allow them to execute code on the device. compromise. Online magazine builds on researchers’ statements Kevin Beaumont and Rich Warren, researcher from the NCC group, who both indicated on Twitter that they had observed attempts to exploit the honeypots they had deployed to detect these attacks. A honeypot is a computer resource exposed on the Internet and intended to be used as a “decoy” to detect attempted attacks.
The decoys have therefore spoken and indicate that cybercriminals are trying to compromise devices vulnerable to this type of attack. It is not clear what the purpose of these attempted attacks is, beyond installing a web shell that allows attackers to retain access to the compromised machine and subsequently re-exploit it. As ProxyLogon flaws have given rise to ransomware attacks and data theft, no reason for ProxyShell to give rise to different exploits.