Attackers Now Scanning for ‘ProxyShell’ Vulnerabilities in Exchange Server – Redmondmag.com

News

Attackers Now Scanning for ‘ProxyShell’ Vulnerabilities in Exchange Server

GENBlueCode1sand0s ProxyEgg Attackers Now Scanning for 'ProxyShell' Vulnerabilities in Exchange Server - Redmondmag.com

Recent scanning for a “Critical” remote code execution vulnerability (CVE-2021-34473) in Exchange Server, dubbed “ProxyShell,” has been detected by security researchers.

Security researcher and ex-Microsoft employee Kevin Beaumont described seeing an uptick in ProxyShell scanning in this Aug. 9 Twitter post. Later, he stated that an “Exchange ProxyShell exploitation wave has started,” in an Aug. 12 Twitter post.

“They’re backdooring boxes with webshells that drop other webshells and also executables that periodically call out,” Beaumont added in the Aug. 12 post. “Gonna be a cleanup job ahead for admins.”

The Webshells were shown to Lawrence Abrams, a writer at BleepingComputer.com, by security researcher Rich Warren, according to this Aug. 12 BleepingComputer.com article.

Last month, Microsoft issued a patch for the CVE-2021-34473 vulnerability, rated 9.1 (out of 10) on the Common Vulnerability Scoring System scale, but organizations likely could be behind in patching Exchange Server. The ProxyShell exploit, though, was publicly described at last week’s BlackHat security conference, and it seems attackers are now looking use it.

The ProxyShell vulnerability is actually three chained exploits (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207). Security researcher Orange Tsai of DevCore is credited with the discovery. Orange Tsai had presented the ProxyShell exploit at BlackHat after “responsible disclosure” to Microsoft, he indicated.

ProxyShell and ProxyLogon
A series of zero-day Exchange Server flaws, dubbed “ProxyLogon,” were what inspired Orange Tsai’s research. ProxyShell branched off from that research, he indicated. Microsoft had issued “out-of-band” fixes for some of those ProxyLogon vulnerabilities back in early March.

However, the ProxyLogon vulnerabilities have opened a new attack surface in Exchange Server, and ProxyLogon was “just the tip of the iceberg,” Orange Tsai indicated in an announcement. That announcement is Part 1 of a planned four-part series describing these “new” Exchange Server vulnerabilities.

Microsoft had released “out-of-band” Exchange Server patches in early March after an advanced persistent threat group (APT) was exploiting one of the ProxyLogon vulnerabilities. Orange Tsai, though, explained in his announcement that “even though they used the same SSRF [server-side request forgery], the APT group was exploiting it in a very different way from us.”

The ProxyLogon attacks by an APT group, dubbed “Hafnium” by Microsoft, were widespread. In March, Microsoft released indicator of compromise tools to detect possible Webshell activity. In April, the U.S. Federal Bureau of Investigation disclosed that it had deleted Webshells on Hafnium-compromised systems.

Unpatched Exchange Servers
Security researcher Jan Kopriva used Shodan, a search tool that detects devices connected to the Internet, to find “about 30 400 machines affected by the three vulnerabilities” associated with ProxyShell. A chart in Kopriva’s SANS Internet Storm Center post showed that most of those Exchange Servers vulnerable to the ProxyShell attack are located in the United States, followed by Germany, the United Kingdom and France.

Abrams was told by security solutions firm Bad Packets that it was seeing ProxyShell scanning of “IP addresses in the USA, Iran and the Netherlands.”

Lots of Exchange Server systems aren’t patched, according to Orange Tsai, as well as Beaumont, who indicated that “thousands of orgs” haven’t applied Exchange Server patches from April and May.

About the Author

Kurt Mackie is senior news producer for 1105 Media’s Converge360 group.

Source of this news: https://redmondmag.com/articles/2021/08/13/proxyshell-vulnerabilities-in-exchange-server.aspx

Related posts:

The Proxy Fight for Iranian Democracy - CircleID
If you put 65 million people in a locked room, they're going to find all the exits pretty quickly, and maybe make a few of their own. In the case of Iran's crippled-but-still-connected Internet, that...
Bitcoin ETF roars in debut with US$145M of trading volume - BNN
North America’s first Bitcoin ETF got off to a stellar start in its first day of trading, with investors exchanging US$145 million worth of shares.After a relentless surge in the world’s largest digi...
How to Create a Proxy Server (2021) - Alphr
Proxy servers are beneficial because they act as mediators between your computer and the internet. They make online requests for you, and then they return the requested information. If you want to cr...
LRRC8A-containing chloride channel is crucial for cell volume recovery and survival under hypertonic...
The regulation of cell volume is essential for organism homeostasis (1). Cell swelling or shrinkage following osmotic stress exerts profound alterations of the cellular status (2), from short-term ch...
How to Hide Your IP Address - Lee Stanton - Alphr
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way. Websites keep track of your IP address for various reasons, and in most cases, it’s n...
Form 8-K Athena Technology Acquis For: Jul 06 - StreetInsider.com
Get inside Wall Street with StreetInsider Premium. Claim your 1-week free trial here. UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 FORM 8-K CURRENT REPORT Pursuant to Se...
Fix 'The Proxy Server Refusing Connections Error' Message - BollyInside
This tutorial is about the Fix ‘The Proxy Server Refusing Connections Error’ Message. We will try our best so that you understand this guide. I hope you like this blog Fix ‘The Proxy Server Refusing ...
DDOS Attacks Targeting Payment Services of Global Financial Institutions - Security Boulevard
A threat actor or group is actively targeting the online services of branches of global financial institutions with their headquarters located in Europe. Radware Cloud DDoS Protection Services prev...
Dallas Invents: 145 Patents Granted for Week of March 30 » Dallas Innovates - dallasinnovates.com
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
ProxyShell vulnerabilities are used to hack Microsoft Exchange servers - Security News - BollyInside
Threat actors are actively exploiting Microsoft Exchange servers using the ProxyShell vulnerability to install backdoors for later access.The three vulnerabilities, listed below, were discovered by D...
Shotcut 21.05.18 - Neowin
Shotcut is a free, open source, cross-platform video editor for Windows, Mac and Linux. Major features include support for a wide range of formats; no import required meaning native timeline editing...
Apple's New iCloud Private Relay Service Leaks Users' Precise IP Addresses - Unquestionably the Hack...
A new as-yet unpatched weakness in Apple's iCloud Private Relay feature could be circumvented to leak users' true IP addresses from iOS devices running the latest version of the operating syste...
Why You Suddenly Need To Delete Gmail On Your iPhone - Forbes
Yet again this week we have seen headlines pitching Apple against Facebook, as the iPhone maker’s crackdown on user tracking threatens mobile ad revenues. But while Facebook is clearly in Apple’s sig...
Tamilblasters 2021 – Free Download Movies and Web Series - The Bulletin Time
Sister Wives: Christine Brown is Selling Her House - Maybe She is Leaving Kody Tamilblasters 2021 – Free Download Movies and Web Series Illegal piracy websites are increasing day by day. There are so...
Apache HTTP Server Path Traversal & Remote Code Execution (CVE-2021-41773 & CVE-2021-42013) ...
On October 4, 2021, Apache HTTP Server Project released Security advisory on a Path traversal and File disclosure vulnerability in Apache HTTP Server 2.4.49 and 2.4.50 tracked as CVE-2021-41773 and...
Tales Battle is Launching its 3D NFT Multiverse World wide Game - MENAFN. COM
( MENAFN - Zex PR Wire) Wroclaw, Poland, thirteen Jan 2022, ZEXPRWIRE , Legends Endeavor, a 3D NFT Multiverse web game on the blockchain, is launching soon. This comes with an innovative ...
How Secure Is a VPN? - WinBuzzer
VPNs have become a very popular service over the last decade. With many people waking up to the importance of privacy and data protection, we’ve been seeing more and more VPN providers springing up...
ISPs Give 'Netflow Data' To Third Parties, Who Sell It While not User Awareness Or Consent - Techdir...
from the more-of-the-same dept Back encompassing 2007 or so there was a ruckus when broadband ISPs were found to be disposing of your "clickstream" data (which sites you visit the actual long yo...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30