Microsoft Exchange Server: threat actors actively scanning for ProxyShell vulnerability, researchers warn

ProxyShell is a set of three security flaws that have already been addressed by Microsoft, but not all instances are patched

Attackers are currently scanning the internet for Microsoft Exchange Server instances that have not been patched for the ProxyShell vulnerability, researchers have warned.

The technical details of the bug were disclosed last week by Devcore security researcher Orange Tsai at the Black Hat 2021 conference.

Tsai and his teammates are credited for discovering this bug during the Pwn2Own 2021 hacking contest held in April.

Microsoft Exchange Server, an email solution, is a long-time target of state-backed threat actors as corporate mail servers store the confidential secrets of government agencies and enterprises.

ProxyShell is a set of three security flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) which, when used together, could enable a threat actor to perform unauthenticated, remote code execution (RCE) on unpatched Microsoft Exchange servers.

According to Orange Tsai, these vulnerabilities can be remotely exploited through Microsoft Exchange's Client Access Service (CAS) running on port 443 in IIS.

Microsoft quietly patched CVE-2021-34473 and CVE-2021-34523 in April with its KB5001779 cumulative update, while CVE-2021-31207 was patched about a month later.

CVE-2021-34473 is a pre-authentication path confusion bug that could result in ACL bypass, while CVE-2021-34523 results in elevation of privilege on Exchange PowerShell Backend, according to BleepingComputer.

The third flaw, CVE-2021-34473, is a post-authentication arbitrary-file-write bug that enables attackers to remotely execute arbitrary code on a machine.

Tsai explained in his talk last week that one of the components of the ProxyShell attack chain targets the Microsoft Exchange Autodiscover service that was introduced by Microsoft to provide an easy way for mail client software to auto-configure itself with minimal input from the user.

After watching Tsai's talk, security researchers PeterJson and Jang published a blog post detailing how they were able to successfully reproduce the ProxyShell exploit.

IT security researcher Kevin Beaumont also said last week that a threat actor had probed his Microsoft Exchange server, which he had set up as a honeypot.

Honeypots are sacrificial computer systems with known security vulnerabilities that are exposed on the Internet to attract cyber attacks. They can help cyber security experts to monitor activities of cyber groups.

Beaumont said that while initial attacks were unsuccessful, he later observed entries in the log against the server's Autodiscover service, suggesting that the attackers had managed to conduct successful attacks.

These findings also indicate that threat actors are watching presentations at security conferences and quickly adapting their automatic tests.

Experts advise Exchange server admins to install the latest cumulative updates from Microsoft as soon as possible.

There are currently 400,000 Microsoft Exchange servers exposed on the Internet, so successful attacks are expected to come very soon, Tsai warned.