Security News > 2021 > November > Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns

Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns
2021-11-22 23:33

Threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems.

ProxyLogon and ProxyShell refer to a collection of flaws in Microsoft Exchange Servers that could enable a threat actor to elevate privileges and remotely execute arbitrary code, effectively granting the ability to take control of the vulnerable machines.

Trend Micro said it observed the use of public exploits for CVE-2021-26855, CVE-2021-34473, and CVE-2021-34523 on three of the Exchange servers that were compromised in different intrusions, using the access to hijack legitimate email threads and send malicious spam messages as replies, thereby increasing the likelihood that unsuspecting recipients will open the emails.

"Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails," the researchers said, adding the attackers behind the operation did not carry out lateral movement or install additional malware so as to stay under the radar and avoid triggering any alerts.

The attack chain involves rogue email messages containing a link that, when clicked, drops a Microsoft Excel or Word file.

"SQUIRRELWAFFLE campaigns should make users wary of the different tactics used to mask malicious emails and files," the researchers concluded.


News URL

https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-07-14 CVE-2021-34523 Improper Authentication vulnerability in Microsoft Exchange Server 2013/2016/2019
Microsoft Exchange Server Elevation of Privilege Vulnerability
local
low complexity
microsoft CWE-287
critical
9.0
2021-07-14 CVE-2021-34473 Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019
Microsoft Exchange Server Remote Code Execution Vulnerability
network
low complexity
microsoft CWE-918
critical
9.1
2021-03-03 CVE-2021-26855 Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019
Microsoft Exchange Server Remote Code Execution Vulnerability
network
low complexity
microsoft CWE-918
critical
9.1