Security News > 2021 > November > Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns

Threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems.

ProxyLogon and ProxyShell refer to a collection of flaws in Microsoft Exchange Servers that could enable a threat actor to elevate privileges and remotely execute arbitrary code, effectively granting the ability to take control of the vulnerable machines.

Trend Micro said it observed the use of public exploits for CVE-2021-26855, CVE-2021-34473, and CVE-2021-34523 on three of the Exchange servers that were compromised in different intrusions, using the access to hijack legitimate email threads and send malicious spam messages as replies, thereby increasing the likelihood that unsuspecting recipients will open the emails.

"Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails," the researchers said, adding the attackers behind the operation did not carry out lateral movement or install additional malware so as to stay under the radar and avoid triggering any alerts.

The attack chain involves rogue email messages containing a link that, when clicked, drops a Microsoft Excel or Word file.

"SQUIRRELWAFFLE campaigns should make users wary of the different tactics used to mask malicious emails and files," the researchers concluded.

News URL

https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html