Security News > 2021 > August > Exchange Servers Under Active Attack via ProxyShell Bugs

In his Black Hat presentation last week, Devcore principal security researcher Orange Tsai said that a survey shows more than 400,000 Exchange servers on the internet that are exposed to the attack via port 443.

Breakdown of Exchange servers on Shodan vulnerable to ProxyShell or ProxyLogon, it's just under 50% of internet facing Exchange servers.

"As the most common-use email solution, Exchange Server has been the top target for hackers for a long time. Based on our research, there are more than four hundred thousands Exchange Servers exposed on the Internet. Each server represents a company, and you can imagine how horrible it is while a severe vulnerability appeared in Exchange Server."

During his Black Hat presentation, Tsai explained that the new attack surface his team discovered is based on "a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service, splits into frontend and backend" - a change that incurred "Quite an amount of design" and yielded eight vulnerabilities, consisting of server-side bugs, client-side bugs and crypto bugs.

"These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by about 400,000 Exchange Servers," according to the presentation's introduction.

As BleepingComputer reported, during his presentation, Tsai explained that one of the components of the ProxyShell attack chain targets the Microsoft Exchange Autodiscover service: a service that eases configuration and deployment by providing clients access to Exchange features with minimal user input.

News URL

https://threatpost.com/exchange-servers-attack-proxyshell/168661/