Threat actors have begun to use the recently published Microsoft Exchange Server vulnerabilities to offer web shells that grant them access to the infected server.
Orange Tsai, principal researcher at DEVCORE, has revealed the specifics of three Exchange vulnerabilities that can be used by remote, unauthenticated attackers to gain control of susceptible systems.
CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 are the weaknesses, and they’re all grouped together as ProxyShell. After Orange Tsai showed the holes at the Pwn2Own hacking competition in April, Microsoft delivered patches, but only advisories in May and July.
In a blog post, cybersecurity firm Rapid7 revealed how chaining these vulnerabilities allows an attacker to overcome ACL constraints, submit a request to a PowerShell back-end, and elevate privileges, essentially authenticating the attacker and enabling for remote code execution.
Hackers began combing the internet for unprotected Exchange servers shortly after Orange Tsai revealed the technical specifics of the ProxyShell attack at the Black Hat and DEF CON conferences last week. The web has exposed tens of thousands of affected devices.
Now, it appears that attackers have begun distributing harmful payloads. On Thursday, researchers Rich Warren and Kevin Beaumont stated that their honeypots had detected efforts to use the ProxyShell vulnerabilities to create web shells.
Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities. This one dropped a c# aspx webshell in the /aspnet_client/ directory: pic.twitter.com/XbZfmQQNhY
— Rich Warren (@buffaloverflow) August 12, 2021
“They’re backdooring systems with webshells that drop additional webshells, as well as executables that call out on a regular basis,” Beaumont explained.
The attackers use web shells to gain remote access to the compromised servers, although it’s unclear what their objectives are.
It’s worth mentioning that the Exchange vulnerabilities identified as ProxyLogon, discovered by Orange Tsai during the same research project and publicly revealed earlier this year, have been exploited for diverse purposes by both profit-driven hackers and state-sponsored threat actors.
Bad Packets, a threat intelligence firm, stated on Thursday that it was still seeing a lot of scanning activity looking for Exchange servers that were vulnerable to ProxyShell assaults.
Indicators of compromise (IOCs) that can be used to detect ProxyShell attacks have been made public by Warren, Beaumont, and others.