Security News > 2021 > August > Hackers Actively Searching for Unpatched Microsoft Exchange Servers
Threat actors are actively carrying out opportunistic scanning and exploitation of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.
The remote code execution flaws have been collectively dubbed "ProxyShell." At least 30,000 machines are affected by the vulnerabilities, according to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.
"Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities," NCC Group's Richard Warren tweeted, noting that one of the intrusions resulted in the deployment of a "C# aspx webshell in the /aspnet client/ directory."
Patched in early March 2021, ProxyLogon is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.
The vulnerabilities came to light after Microsoft spilled the beans on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.
Three other issues - known as ProxyShell - could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/o6H5XVqU5W0/hackers-actively-searching-for.html
Related news
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- Microsoft dangles $10K for hackers to hijack LLM email service (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)
- APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP (source)
- Microsoft: macOS bug lets hackers install malicious kernel drivers (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Hackers use FastHTTP in new high-speed Microsoft 365 password attacks (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-03 | CVE-2021-26855 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 0.0 |
| 2021-03-03 | CVE-2021-27065 | Path Traversal vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 0.0 |