A hacking group is exploiting Microsoft Exchange servers exposed to the ProxyShell vulnerability in order to install a backdoor and deploy subsequent attacks. As you may recall, ProxyShell is a set of three security flaws in Exchange whose exploitation would allow remote code execution.
The vulnerabilities were reported by Orange Tsai of security firm Devcore. The researcher managed to chain together the exploitation of the three flaws to take full control of an Exchange server, demonstrating his attack in Pwn2wn 2021. Below is a brief description of the reported flaws:
- CVE-2021-34473: Pre-authentication path confusion that could lead to ACL evasion
- CVE-2021-34523: Privilege Escalation in the Exchange PowerShell Backend
- CVE-2021-31207: Arbitrary writing of post-authentication files that could lead to a remote code execution (RCE) scenario
In a later demonstration, Orange Tsai described how it is possible to compromise a vulnerable Exchange deployment by targeting Client Access Service (CAS). Orange Tsai added that exploiting ProxyShell requires the AutoDiscover feature to deploy a server-side request spoofing (SSRF) attack.
Shortly after the presentation, a team of researchers published additional technical details about the exploitation of this attack, which contributed to some hacking groups starting to actively exploit this flaw.
On the other hand, vulnerability analysts Kevin Beaumont and Rich Warren claim that hacking groups tried to abuse this flaw in their honeypots, which allowed them to learn a few things about the attackers. Threat actors employ an initial URL as shown below:
https://Exchange-server/autodiscover/autodiscover.json?@foo.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@foo.com
The exploit used by the attackers delivers a webshell of just 265 KB in the c:\inetpub\wwwroot\aspnet_client\ folder.
The researchers mention that 265KB is the minimum file size that can be created using the ProxyShell exploit due to its abuse of the Exchange Powershell Mailbox Export feature to create PST files.
Warren mentions that the webshells employed by hackers consist of an authentication-protected script that allows arbitrary uploading of files to vulnerable Exchange implementations. To do this, threat actors use the first webshell to upload a second webshell to a remote access folder and two executable files to C:\Windows\System32 folder.
A full report of these attacks is available on the researchers’ official platforms.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.