Cybercriminals are scanning servers for the Microsoft Exchange ProxyShell RCE vulnerabilities after technical details presented at the Black Hat

Researchers report the detection of multiple attempts to exploit ProxyShell, a set of remote code execution flaws in Microsoft Exchange disclosed during the Black Hat cybersecurity conference. ProxyShell consists of three vulnerabilities that unauthenticated remote threat actors could chain together to execute malicious code in affected Exchange deployments.

The following describes the three flaws that make up this report:

  • CVE-2021-34473: Pre-authentication path confusion that could lead to ACL evasion
  • CVE-2021-34523: Privilege Escalation in the Exchange PowerShell Backend
  • CVE-2021-31207: Post-authentication file write vulnerability that could lead to remote code execution

According to reports, the vulnerabilities could be exploited remotely by unauthenticated threat actors through the Microsoft Exchange Client Access Service (CAS), a utility run on ISS port 433.

These three failures were reported by specialist Orange Tsai of Devcore. Last Thursday, the researcher presented his findings in Black Hat, sharing some details about the exploitation of these flaws in Exchange.

The researcher explained that the exploitation of ProxyShell is based on the use of multiple components in Microsoft Exchange, including the Autodiscover service used in client applications for configuration. The unusual thing is that, during her presentation, Orange Tsai shared some details that were useful in determining a method of exploitation.

Cybersecurity specialist Kevin Beaumont was one of the first researchers to detect active exploitation attempts, recommending users block 185.18.52.155 to prevent threat actors from detecting vulnerable Microsoft Exchange deployments automatically, mitigating the risk of exploitation.

While there were already some exploits for these flaws, it was possible for threat actors to improve their attacks thanks to the information revealed by Orange Tsai. Attackers reportedly split a job request to detect a vulnerable system by triggering web application compilation ASP.NET

For complete mitigation of attack risk, specialists recommend installing company-issued updates. There are currently hundreds of thousands of vulnerable deployments, so Microsoft Exchange users are encouraged to upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.