Exchange Servers Under Active Attack via ProxyShell Bugs
A researcher at Black Hat revealed an entirely new attack surface that exists in Exchange. Threat actors are allegedly now exploiting servers vulnerable to the RCE bugs. According to researchers, Miscorosft Exchange servers are being actively exploited via ProxyShell, the name of the attack disclosed at Black Hat last week. The attack chains three different Microsoft vulnerabilities together to allow unauthenticated attackers to perform remote code execution and access plaintext passwords. The vulnerability was detailed in a presentation delivered last week by Orange Tsai, a principal security researcher at Devcore.
Tsai reported that a survey shows more than 400,000 Exchange servers were exposed to the attack via port 443. Following the presentation, SANS Internet Storm Center reported more than 30,000 vulnerable Exchange servers detected via a Shodan scan. Microsoft has already released patches for the chain of vulnerabilities used to perform the attack. The vulnerabilities affect Exchange Server 2013, 2016, and 2019.