Patch ProxyShell Vulnerabilities on Microsoft Exchange Servers

Exchange servers have always been on the target of threat actors to gain access to the sensitive and confidential information that they store. The pre-authenticated ProxyShell and ProxyLogon RCE vulnerabilities disclosed by Orange Tsai, principal researcher at DEVCORE – an information security firm, in January 2021 are considered one of the most severe vulnerabilities found in the history of MS Exchange. The threat actors exploited these vulnerabilities to access Exchange servers and install web shells, backdoors, and ransomware.

The threat actors and groups, such as Hafnium, had compromised more than 30,000 Exchange servers across the world by the time Microsoft released the mitigation tool and security updates to patch these vulnerabilities in March.

And now that the technical details and information on ProxyShell vulnerabilities are disclosed, threat actors are scanning vulnerable Exchange servers using the auto-discover URL disclosed by Tsai.

I may have an update – somebody is accessing /autodiscover/autodiscover.json to access MAPI and my IIS is writing out files and executing commands cc @peterjson pic.twitter.com/oBPG1bvshx

— Kevin Beaumont (@GossiTheDog) August 6, 2021

What is ProxyShell Vulnerability?

ProxyShell refers to three RCE vulnerabilities:

• CVE-2021-34473 – Microsoft Exchange Server RCE Vulnerability (Patched in April)
• CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege on Exchange PowerShell Vulnerability (Patched in April)
• CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability (Patched in May)

When these vulnerabilities are chained together, they allow threat actors to perform unauthorized remote code execution on the Exchange servers. Although CVE-2021-34473 and CVE-2021-34523 were discovered in July, Microsoft has patched them quietly with the April security updates release.

However, technical details related to Microsoft Exchange ProxyShell RCE (Remote Code Execution) vulnerabilities were recently disclosed at the BlackHat USA 2021 conference. Security researchers PeterJson and Jang even reproduced the ProxyShell exploit and published an article providing more technical details on how threat actors possibly executed the exploit.

After the disclosure, threat actors are now actively scanning the Microsoft Exchange servers to exploit these vulnerabilities. Their initial attempts were unsuccessful but they have now modified their scans and using autodiscover URL disclosed by Tsai.

The URL appears to help threat actors identify vulnerable Exchange servers.

How to Know If Attackers scanned Exchange Server?

Researcher Kevin Beaumont advised Exchange and IT administrators to check IIS logs strings using the Azure Sentinel Keyword Query Language (KQL Query) for the following strings:

W3CIISLog

| where csUriStem == “/autodiscover/autodiscover.json”

| where csUriQuery has “/mapi/nspi/”

If the output results list the autodiscover URL, it indicates the threat actors scanned your server.  

How to Mitigate the Threat?

It is strongly advised to install the latest cumulative updates to safeguard your Exchange server against the attack.

For more details, you can refer to our blog on Microsoft Exchange Remote Code Execution Vulnerability Flaws and their Fixes.

To Wrap Up

Exchange servers are a well-known mail solution for government organizations and enterprises worldwide. They store emails and other data containing sensitive information, making them a primary target for the threat actors. According to Tsai’s survey, more than 400,000 Exchange servers are still exposed on the web and vulnerable to ProxyShell attacks. If you haven’t patched your Exchange server, now is the high time to do so as the technical details of the RCE attacks are out and more threat actors are actively looking for vulnerable Exchange servers.