A security researcher has released a new proof-of-concept (PoC) that requires only slight modifications to install web shells on Microsoft Exchange servers vulnerable to the actively exploited ProxyLogon bug. Since Microsoft disclosed the Microsoft Exchange security vulnerabilities, known as ProxyLogon, system administrators and security personal have been scrambling to patch and protect vulnerable systems. These attacks are being used to drop web shells, crypto miners, and more recently, the DearCry ransomware on exploited servers. Earlier this week, security researcher Nguyen Jang published a blog with the PoC exploit that when first posted, included a flaw that would make the PoC run incorrectly. It was close enough to working that researchers and attackers alike can develop a functional remote code execution Microsoft Exchange server. Microsoft-owned GitHub took down the PoC to protect devices that are being exploited. This weekend, a separate researcher published a new ProxyLogon PoC that requires very little modification to exploit this flaw. This new PoC, according to Will Dorman a Vulnerability Analyst at the CERT/CC, requires minimal modification and is now within reach of “script kiddies.” A script kiddie is a person who uses existing computer scripts or code to hack into computers, lacking the expertise to write their own.
Analyst Notes
With exploits for the Microsoft Exchange vulnerabilities becoming publicly available, it is more important than ever that system administrators patch their servers and use the available resources to search for webshells or other exploitation artifacts that could give attackers continued access to compromised Exchange servers. According to Palo Alto Networks’ research, there are approximately 80,000 vulnerable Microsoft Exchange servers exposed on the Internet. Many of these servers are older versions that do not have available security updates. On Thursday, Microsoft released additional security updates for older versions of Microsoft Exchange, which now cover 95% of the servers exposed on the Internet. Administrators are recommended to keep an eye out for patches and apply them as soon as possible.
Source Article: https://www.bleepingcomputer.com/news/security/new-poc-for-microsoft-exchange-bugs-puts-attacks-in-reach-of-anyone/
Microsoft security update: https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020
