Warning! Attackers Compromise Over 2000 Microsoft Exchange Servers With ProxyShell Flaws

Over the past two days, the hackers have compromised almost 2000 Microsoft Exchange servers and installed backdoors on those hacked 2000 Microsoft Exchange servers through unpatched ProxyShell vulnerabilities.

Cybersecurity experts of Huntress Labs security firm have discovered this incident and they began after the publication of a PoC exploit earlier this month. Due to such frequent attacks, just two weeks ago, the network initiated its scans in search of vulnerable servers.

ProxyShell and the vulnerabilities

ProxyShell is a Microsoft Exchange bug which is initially discovered by Orange Tsai, a Taiwanese security researcher. 

A ProxyShell security flaw consists of three different security flaws, through which any remote attacker can easily gain access and take control of Microsoft Exchange email servers.

Here’s the list of three security flaws:-

  • CVE-2021-34473: This security flaw provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.
  • CVE-2021-34523: This vulnerability enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
  • CVE-2021-31207: This security bug enables post-authentication malicious actors to execute arbitrary code in the context of the system and write arbitrary files.

A gainst vulnerable Exchange servers, all these vulnerabilities are actively exploited by the threat actors, as reported by the cybersecurity analysts of Huntress.

Moreover, on August 17 and 18, the experts of Huntress noted and reported more than 100 incidents that are related to this exploit.

The Taiwanese security researcher, Orange Tsai discovered that ProxyShell is part of a trio of attack chains, and here they are mentioned below:-

  • ProxyLogon
  • ProxyOracle
  • ProxyShell

Apart from this, in April this year during the Pwn2Own 2021 hacking contest, Tsai earned $200,000 for a successful server compromise by using the ProxyShell exploit.

More than 30,400 Exchange servers are vulnerable

It seems that despite the availability of fixes for these vulnerabilities that are described above, the system admins do not seem to be in hurry to install them.

On August 8, a scan was conducted by ISC SANS, and in their scan report, they claimed that currently there are more than 30,400 Exchange servers from a total of 100,000 systems that are vulnerable to such attacks since they were not patched.

Patch levels and appropriate hash for MSExchangeRPC

Here’s the list of patch levels and appropriate hash for MSExchangeRPC mentioned below:-

Exchange 2019 CU10 + KB5004780 = v15.2.922.13

 – 8a103fbf4b18871c1378ef2689f0bdf062336d7e02a5f149132cdbd6121d4781

Exchange 2019 CU9 + KB5004780 = v15.2.858.15

 – c5c88f5b013711060bcf4392caebbc3996936b49c4a9b2053169d521f82010aa

Exchange 2016 CU21 + KB5004779 = v15.1.2308.14

 – 9f7f12011436c0bbf3aced5a9f0be8fc7795a00d0395bfd91ff76164e61f918d

Exchange 2016 CU20 + KB5004779 = v15.1.2242.12

 – ab767de6193c3f6dff680ab13180d33d21d67597e15362c09caf64eb8dfa2498

Exchange 2013 CU23 + KB5004778 = v15.0.1497.23

 – 20659e56c780cc96b4bca5e4bf48c812898c88cf134a84ac34033e41deee46e9

Over 2000 Exchange servers were hacked

During their scan, they detected that all the compromised 2000 Microsoft Exchange servers were hacked through ProxyShell, and not only that even they also found more than 140 different web shells as well on those servers.

While all these hacked Exchange servers were owned by several organizations like:-

  • Construction companies
  • Seafood manufacturers
  • Industrial equipment suppliers
  • Auto repair shops
  • Small airport

Here, things got more aggravated when a user on a Russian-speaking hacker forum published a list of more than 100,000 internet-accessible Exchange servers.

So, what the hackers need here, is to arm themselves with an available exploit and start bombarding the servers according to the list.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.