A new attack vector named ProxyShell was recently disclosed. ProxyShell is a Microsoft Exchange server vulnerability which provides an attacker with unauthenticated remote code execution (RCE) capabilities.
Microsoft Exchange Server is a mail and calendaring server that runs exclusively on Windows Server operating systems and is used by many organizations worldwide.
Microsoft released security updates for the ProxyShell vulnerabilities in April and May of 2021. However, many organizations still haven’t fully patched their Exchange servers and are still vulnerable to this attack.
This is part of an extensive series of guides about Network Attacks.
In the last few months there has been a trend of threat actors targeting Microsoft Exchange servers. Exchange servers are a critical entry point to an organization’s network – gaining a foothold in this component enables threat actors to easily infiltrate the inner network. Examples of this attack wer recently published by Israeli press regarding Chinese cyber-attacks on Israeli government, banks and high-tech organizations by exploiting Microsoft Exchange servers. Exchange servers also hold personal and confidential data which can be used in several ways to gain profit.
Enterprises often use on-premises Exchange servers that, if left unpatched, can widen the attack surface. According to Shodan.io, 400,000 on premise Exchange servers are open to the Internet, increasing the possibility of finding a vulnerable server which may lead to a successful exploit.
One of the most exploited Exchange vulnerabilities is ProxyLogon which was used by the HAFNIUM APT to deploy the China Chopper web shell and steal data from a compromised network. Following its disclosure, the ProxyLogon vulnerability was also used by other malicious threat actors for different purposes such as deploying ransomware and exfiltrating sensitive data.
As part of the 2021 Black-Hat conference, Orange Tsai, a security researcher shared his discovery of the ProxyShell attack vector which is a combination of 3 vulnerabilities chained together to provide the attacker with an unauthenticated remote code execution (RCE). These chained vulnerabilities can be exploited remotely via Microsoft Exchange’s Client Access Service (CAS) which runs on port 443 in Internet Information Services (IIS).
The attack is comprised of the following steps:
Technical analysis of the POC’s can be found in Orange Tsai’s Black-Hat presentation.
The Cynet Security Research team has already deployed new rules aimed to detect and prevent exploitation attempts of these vulnerabilities and is currently working on additional detections to increase the visibility around it.
We strongly advise all customers to install the latest security updates on their Exchange servers which can be found here.
The CyOps team monitors our customers’ environments 24/7 and will be in contact in case any indicators of this vulnerability are detected in your environment.
Cynet CyOps is available to clients for any issues 24/7, questions or comments related to Cynet 360. For additional information, you may contact us directly at:
CyOps Mailbox – [email protected]
CyOps Team Leader – [email protected]
CyOps Manager – [email protected]
Israel: +972 72-3369736
UK: +44 2032 909051
US : +1 (347) 474-0048
Ready to extend visibility, threat detection and response?