Attackers Scan for Microsoft Exchange ProxyShell Remote Code Execution Vulnerabilities

The Exchange server of Microsoft is one of the popular mail servers, and it runs exclusively on Windows Server operating systems. However, cybercriminals are targeting the Microsoft Exchange, as it is one of the widespread mail servers.

According to the experts of Orange Tsai, the hackers are continuously scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities, and it has been initiated after the technical details of the servers were released at the Black Hat conference.

However, the experts have pronounced in their report that ProxyShell is a particular name for three vulnerabilities. These vulnerabilities deliver unauthenticated, remote code execution on the servers of the Microsoft Exchange.

Vulnerabilities used in ProxyShell attacks

After investigating the attack, the experts found that there are three vulnerabilities in the name of Proxyshell, and that’s why the security analysts of Orange Tsai has mentioned all the details regarding the three chained vulnerabilities that were used in this attack:-

  • CVE-2021-34473 Pre-auth Path Confusion commences to ACL Bypass, and it was patched in April by KB5001779
  • CVE-2021-34523 Elevation of Privilege on Exchange PowerShell Backend, and it was patched in April by KB5001779
  • CVE-2021-31207 Post-auth Arbitrary-File-Write leads to RCE, and it was patched in May by KB5003435

Hackers scan for the vulnerable Microsoft Exchange servers 

According to the report, the security researchers noted that their Exchange server and configured the server as a honeypot, and the threat actors have investigated the Microsoft Exchange honeypot against the server’s Autodiscover service.

The report stated that the threat actors are also following the presentations that were presented at the security conferences and it had quickly adapted all the tests that were shown very quickly.

The threat actors have successfully detected vulnerable systems by using a new URL. This new URL has helped them to trigger the accumulation of the ASP.NET web application. 

Microsoft Exchange ProxyShell Demonstration

Apart from this, the security experts of Orange Tsai have suggested that the users of Microsoft Exchange should keep their systems updated as keeping up to date ensure that they will be safe or we can say they can bypass such attacks.

Even the Orange Tsai also stated that currently, 400,000 Microsoft Exchange servers were detected on the Internet, that’s why it indicated that the hackers have got many successful attacks.

Not only this the hackers are also trying to exploit this vulnerability, well we can say that they have gained little success but they haven’t got fully successful in this exploitation.

However, the security analysts of Tsai have already released the patches of the ProxyShell vulnerabilities, and it has been pronounced by the experts that the attacks will not hamper much as there are patches that are available.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.