Security News > 2021 > August > Hackers Actively Searching for Unpatched Microsoft Exchange Servers

Threat actors are actively carrying out opportunistic scanning and exploitation of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.

The remote code execution flaws have been collectively dubbed "ProxyShell." At least 30,000 machines are affected by the vulnerabilities, according to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.

"Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities," NCC Group's Richard Warren tweeted, noting that one of the intrusions resulted in the deployment of a "C# aspx webshell in the /aspnet client/ directory."

Patched in early March 2021, ProxyLogon is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.

The vulnerabilities came to light after Microsoft spilled the beans on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.

Three other issues - known as ProxyShell - could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/o6H5XVqU5W0/hackers-actively-searching-for.html