PoC Released, Active Exploitation of Exchange Vulnerabilities Observed

THE THREAT

Active exploitation of previously disclosed Microsoft Exchange vulnerabilities has been observed against researcher honeypots in the wild. Affected versions include Microsoft Exchange Server’s 2013, 2016, and 2019. Patches have been available since May [1].

A known vulnerability in Microsoft Exchange allows attackers to commit arbitrary file upload and execution [1]. In combination with previously reported authentication and privilege escalation vulnerabilities (patched in April) [2], this cluster of bugs is known as ProxyShell. This attack was first demonstrated on August 5, 2021, in a BlackHat presentation [3], followed by scanning for vulnerable devices. Within a week of the disclosure, researchers reported active exploitation against their honeypots [4]. Microsoft has made patches available for all three vulnerabilities [1][2].

What we’re doing about it

• eSentire’s Managed Log service detects potential abuse of Autodiscover, IMAP, and PowerShell services employed in this attack, as well as attempts to export the mailbox.
• eSentire’s Managed Vulnerability Service (MVS) has plugins available for scanning for this set of vulnerabilities.

What you should do about it

• Ensure patches [1][2] have been applied to Exchange infrastructure.
• Clients with endpoint monitoring in place should ensure endpoint agents are deployed to critical servers like Exchange.

Additional information

Impacted Products:

• Microsoft Exchange 2019
• Microsoft Exchange 2016
• Microsoft Exchange 2013

The attack chain starts with CVE-2021-31207, an authentication bypass vulnerability. From there, a threat actor can elevate privileges with CVE-2021-34523. Finally, with a foothold in the system and escalated privileges, remote code execution can be achieved with CVE-2021-34473. The publicly released PoC relies on abuse of Autodiscover, mapi, and PowerShell in the victim’s environment [5].

References:

[1] https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-may-11-2021-kb5003435-028bd051-b2f1-4310-8f35-c41c9ce5a2f1
[2] https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-april-13-2021-kb5001779-8e08f3b3-fc7b-466c-bbb7-5d5aa16ef064
[3] https://www.blackhat.com/us-21/briefings/schedule/#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442
[4] https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/
[5] https://github.com/ktecv2000/ProxyShell/blob/main/exploit.py