An independent information security researcher from Vietnam has presented a PoC exploit for ProxyLogon vulnerabilities in Microsoft Exchange, whose viability has already been confirmed by such well-known experts.
In fact, these vulnerabilities can be chained together, and their exploitation would allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data.
Many information security companies have warned of massive attacks on this chain of vulnerabilities. At first, ProxyLogon was exploited only by the Chinese hacker group Hafnium, but when information about the problems was published publicly, other attackers joined the case.
According to ESET analysts, at least ten hack groups are currently using ProxyLogon bugs to install backdoors on Exchange servers around the world.
What is worse, researchers at the Dutch non-profit organization DIVD scanned the Internet for vulnerable Microsoft Exchange servers and concluded that quite a few of the 250,000 available servers are still unsecured and running without patches. As a result of the audit, the researchers and volunteers assisting them tried to alert vulnerable companies and organizations of the problems by contacting local CERTs, providers, and company representatives directly.
Several PoC exploits have been posted on GitHub since the vulnerability was disclosed, but most of them turned out to be trolling or didn’t work as expected.
Now an independent cybersecurity researcher from Vietnam has presented a real PoC exploit, whose performance has already been confirmed by such well-known experts as Markus Hutchins from Kryptos Logic, Daniel Card from PwnDefend and John Whittington from Condition Black.
PoC combines the vulnerabilities CVE-2021-26855 and CVE-2021-27065 to authenticate to the Exchange server and then launch malicious code. Hutchins writes that the code provided by the researcher cannot be used out of the box, but it can be easily modified to become a full-fledged RCE tool.
It is also worth noting that Praetorian recently released a detailed overview of ProxyLogin vulnerabilities, although it refrained from publishing its own exploit. However, many researchers criticized this report because, in their opinion, it would only speed up the development of exploits, which would attract even more attackers to attacks.
Let me also remind you that Hackers attacked Microsoft Exchange servers of the European Banking Authority.