- How to Become a Chief Information Officer: CIO Cheat Sheet
- 3 handy upgrades in MacOS 15.1 - especially if AI isn't your thing (like me)
- Your Android device is vulnerable to attack and Google's fix is imminent
- Microsoft's Copilot AI is coming to your Office apps - whether you like it or not
- How to track US election results on your iPhone, iPad or Apple Watch
ProxyLogon Microsoft Exchange exploit is completely out of the bag by now
A security researcher released a new PoC exploit for ProxyLogon issues that could be adapted to install web shells on vulnerable Microsoft Exchange servers.
A security researcher has released a new proof-of-concept exploit that could be adapted to install web shells on Microsoft Exchange servers vulnerable ProxyLogon issues.
Since the disclosure of the flaw, security experts observed a surge in the attacks against Microsoft Exchange mailservers worldwide.
Check Point Research team reported that that in a time span of 24 hours the exploitation attempts are doubling every two hours.
“CPR has seen hundreds of exploit attempts against organizations worldwide” reads the post published by CheckPoint. “In the past 24 hours alone, CPR has observed that the number exploitation attempts on organizations it tracks doubled every two to three hours.”
Most of exploit attempts targeted organizations in Turkey (19%), followed by United States (18%) and Italy (10%). Most targeted sectors have been Government/Military (17% of all exploit attempts), followed by Manufacturing (14%), and then Banking (11%).
Security experts pointed out that the flaws are actively exploited to deliver web shells, and more recently ransomware such as the DearCry ransomware.
Last week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.
The availability of the proof-of-concept code was first reported by The Record.
A few hours after the publication, GitHub took down the PoC hacking tool because it posed a threat to Microsoft’s customers using the Microsoft Exchange solution.
Jang explained that he has published the PoC code to raise the alert on the recent wave of hacks and give the opportunity to colleagues to study the code use in the attacks.
Experts at Praetorian published a detailed technical analysis of the exploit for the Microsoft Exchange flaws, they performed a reverse-engineering of the CVE-2021-26855 patch and developed a fully functioning end-to-end exploit
During the weekend, another security researcher published a new PoC exploit for the ProxyLogon vulnerabilities. The code is not ready-to-use but requires to be modified to be used to compromise vulnerable Microsoft Exchange servers.
Will Dorman, a vulnerability researcher at the CERT/CC, confirmed the availability of the exploit and that it works.
Well, I’ll say that the ProxyLogon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.https://t.co/ubsysTeFOj
I’m not so sure about the “Failed to write to shell” error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. pic.twitter.com/ijOGx3BIif— Will Dormann (@wdormann) March 13, 2021
He pointed out that there is no need to search for exploit in the dark web or on cybercrime/hacking forums, searching it on Google it is possible to find the exploit code.
The difference between the two screenshots was actually probably just a difference between Python2 and Python3.
How did I find this exploit? Hanging out in the dark web? A hacker forum?
No.
Google search. You should check it out if you haven’t already!https://t.co/zBaLT6rsYM— Will Dormann (@wdormann) March 13, 2021
This time I did a better job of copy-pasting the original PoC (with JavaScript enabled… sigh)
No stray error messages here. pic.twitter.com/bRc2Tqg3yf— Will Dormann (@wdormann) March 13, 2021
A joint analysis conducted by Microsoft and RiskIQ allowed to identify more than 100,000 servers still vulnerable.
“Based on telemetry from RiskIQ, we saw a total universe of nearly 400,000 Exchange servers on March 1. By March 9 there were a bit more than 100,000 servers still vulnerable. That number has been dropping steadily, with only about 82,000 left to be updated,” reads a post published by Microsoft last week. “We released one additional set of updates on March 11, and with this, we have released updates covering more than 95% of all versions exposed on the Internet.”
The public availability of PoC exploits and the large number of vulnerable Exchange servers exposed online pose serious risks for organizations.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine