- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
ProxyLogon Microsoft Exchange exploit is completely out of the bag by now
A security researcher released a new PoC exploit for ProxyLogon issues that could be adapted to install web shells on vulnerable Microsoft Exchange servers.
A security researcher has released a new proof-of-concept exploit that could be adapted to install web shells on Microsoft Exchange servers vulnerable ProxyLogon issues.
Since the disclosure of the flaw, security experts observed a surge in the attacks against Microsoft Exchange mailservers worldwide.
Check Point Research team reported that that in a time span of 24 hours the exploitation attempts are doubling every two hours.
“CPR has seen hundreds of exploit attempts against organizations worldwide” reads the post published by CheckPoint. “In the past 24 hours alone, CPR has observed that the number exploitation attempts on organizations it tracks doubled every two to three hours.”
Most of exploit attempts targeted organizations in Turkey (19%), followed by United States (18%) and Italy (10%). Most targeted sectors have been Government/Military (17% of all exploit attempts), followed by Manufacturing (14%), and then Banking (11%).
Security experts pointed out that the flaws are actively exploited to deliver web shells, and more recently ransomware such as the DearCry ransomware.
Last week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.
The availability of the proof-of-concept code was first reported by The Record.
A few hours after the publication, GitHub took down the PoC hacking tool because it posed a threat to Microsoft’s customers using the Microsoft Exchange solution.
Jang explained that he has published the PoC code to raise the alert on the recent wave of hacks and give the opportunity to colleagues to study the code use in the attacks.
Experts at Praetorian published a detailed technical analysis of the exploit for the Microsoft Exchange flaws, they performed a reverse-engineering of the CVE-2021-26855 patch and developed a fully functioning end-to-end exploit
During the weekend, another security researcher published a new PoC exploit for the ProxyLogon vulnerabilities. The code is not ready-to-use but requires to be modified to be used to compromise vulnerable Microsoft Exchange servers.
Will Dorman, a vulnerability researcher at the CERT/CC, confirmed the availability of the exploit and that it works.
Well, I’ll say that the ProxyLogon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.https://t.co/ubsysTeFOj
I’m not so sure about the “Failed to write to shell” error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. pic.twitter.com/ijOGx3BIif— Will Dormann (@wdormann) March 13, 2021
He pointed out that there is no need to search for exploit in the dark web or on cybercrime/hacking forums, searching it on Google it is possible to find the exploit code.
The difference between the two screenshots was actually probably just a difference between Python2 and Python3.
How did I find this exploit? Hanging out in the dark web? A hacker forum?
No.
Google search. You should check it out if you haven’t already!https://t.co/zBaLT6rsYM— Will Dormann (@wdormann) March 13, 2021
This time I did a better job of copy-pasting the original PoC (with JavaScript enabled… sigh)
No stray error messages here. pic.twitter.com/bRc2Tqg3yf— Will Dormann (@wdormann) March 13, 2021
A joint analysis conducted by Microsoft and RiskIQ allowed to identify more than 100,000 servers still vulnerable.
“Based on telemetry from RiskIQ, we saw a total universe of nearly 400,000 Exchange servers on March 1. By March 9 there were a bit more than 100,000 servers still vulnerable. That number has been dropping steadily, with only about 82,000 left to be updated,” reads a post published by Microsoft last week. “We released one additional set of updates on March 11, and with this, we have released updates covering more than 95% of all versions exposed on the Internet.”
The public availability of PoC exploits and the large number of vulnerable Exchange servers exposed online pose serious risks for organizations.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine