Threat actors and researchers actively scanning for ProxyShell vulnerabilities warn – Texasnewstoday.com

Researchers warn that attackers are currently scanning the Internet for Microsoft Exchange Server instances that have not been patched for the Proxy Shell vulnerability.

The technical details of the bug were disclosed by Devcore security researcher Orange Tsai at the Black Hat 2021 conference last week.

Tsai and his teammates allegedly discovered the bug at the Pwn2Own2021 hacking contest in April.

Microsoft Exchange Server, an email solution, has long been a target for state-sponsored threat actors because corporate mail servers store sensitive government and corporate information.

ProxyShell is a set of three security flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that can be used together to unauthenticate an attacker. You may be able to perform a run (RCE). Unpatched Microsoft Exchange server.

According to Orange Tsai, these vulnerabilities could be exploited remotely through the Microsoft Exchange Client Access Service (CAS) running on IIS port 443.

Microsoft quietly patched CVE-2021-34473 and CVE-2021-34523 with the KB5001779 cumulative update in April, while CVE-2021-31207 patched about a month later.

CVE-2021-34473 is a pre-authentication path confusion bug that can lead to ACL bypass, but CVE-2021-34523 is said to lead to privilege escalation of the Exchange PowerShell backend. Bleeping Computer..

The third flaw, CVE-2021-34473, is a post-authentication arbitrary file write bug that allows an attacker to execute arbitrary code remotely on the machine.

Tsai said in a talk last week that one of the components of the ProxyShell attack chain was the Microsoft Exchange Autodiscover service introduced by Microsoft to provide an easy way for email client software to automatically configure itself with minimal user input. I explained that I am targeting.

After watching Tsai’s talk, security researchers Peter Json and Jang published a blog post detailing how to successfully reproduce the ProxyShell exploit.

IT security researcher Kevin Beaumont also said last week that a threat attacker investigated a Microsoft Exchange server set up as a honeypot.

An interesting thing I noticed with MailPot using the Exchange server is that someone started targeting them using autodiscover.json. This is a detection evasion and a relatively undocumented feature. pic.twitter.com/MOuTaoOQL2

— Kevin Beaumont (@GossiTheDog) August 2, 2021

Honeypots are sacrificial computer systems with known security vulnerabilities that are exposed on the Internet to trigger cyberattacks. They help cybersecurity professionals monitor cybergroup activity.

Beaumont said the first attack failed, but later observed log entries for the server’s auto-discovery service, suggesting that the attacker had succeeded.

These findings also show that threat attackers are monitoring presentations at security conferences and adapting automated testing quickly.

Experts advise Exchange server administrators to install the latest cumulative updates from Microsoft as soon as possible.

With 400,000 Microsoft Exchange servers available on the Internet today, Tsai warned that the attack is expected to succeed soon.