Experts warn that hackers are attacking Microsoft Exchange servers, exploiting ProxyShell vulnerabilities, and installing backdoors on them for subsequent access.
Let me remind you that the vulnerabilities, which are collectively called ProxyShell, were recently discussed at the Black Hat conference. ProxyShell combines three vulnerabilities that allow remote code execution without authentication on Microsoft Exchange servers.
These vulnerabilities are exploited by Microsoft Exchange Client Access Service (CAS) running on port 443.
- CVE-2021-34473: Path Confusion without authentication leading to ACL bypass (fixed in April in KB5001779);
- CVE-2021-34523: Privilege Escalation in Exchange PowerShell Backend (fixed in April in KB5001779);
- CVE-2021-31207: Writing arbitrary files after authentication, leading to remote code execution (fixed in May in KB5003435).
These problems were initially discovered by Devcore researchers, whose team received a $200,000 prize for exploiting them at the April 2021 Pwn2Own hacking competition. Devcore now gave a talk at Black Hat and went into more detail about Microsoft Exchange vulnerabilities, after which the hackers began scan the internet for vulnerable systems.
Now well-known information security researchers Kevin Beaumont and Rich Warren tweet that cybercriminals have already moved from scans to active actions and attacked their Microsoft Exchange honeypots using ProxyShell.
Exchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from @orange_8361's initial talk.
— Kevin Beaumont (@GossiTheDog) August 12, 2021
At present, cybercriminals are using ProxyShell to inject a 265 KB web shell on the server at c:\inetpub\wwwroot\aspnet_client\ (265 KB is the minimum file size that can be created using a ProxyShell exploit).
Bleeping Computer reports that such web shells consist of a simple authentication-protected script that attackers can use to upload files to a compromised server. Rich Warren adds that attackers use the first web shell to download an additional web shell to a remote access folder, as well as two executables in C:\Windows\System32: createhidetask.exe and ApplicationUpdate.exe.
If these executables are not found, another web shell will be created in the form of ASPX files with a random name at C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\.
The attackers use a second web shell to launch createhidetask.exe, which creates a scheduled task named PowerManager, which launches the ApplicationUpdate.exe executable at 1 am every day.
While the current payload is safe, it is expected to be replaced with a malicious payload once attackers compromise enough servers.
Let me remind you that I also reported that US and UK accused China for attacks on Microsoft Exchange servers.