Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference.
Before we get to the active scanning of these vulnerabilities, it is important to understand how they have been disclosed.
ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together.
These chained vulnerabilities are exploited remotely through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS.
The three chained vulnerabilities used in ProxyShell attacks are:
On Thursday, Orange Tsai gave a Black Hat talk about recent Microsoft Exchange vulnerabilities he discovered when targeting the Microsoft Exchange Client Access Service (CAS) attack surface.
As part of the talk, Tsai explained that one of the components of the ProxyShell attack chain targets the Microsoft Exchange Autodiscover service.
Microsoft introduced the Autodiscover service to provide an easy way for mail client software to auto-configure itself with minimal input from the user.
After watching Orange Tsai’s talk, security researchers PeterJson and Jang published an article providing technical information about how they could successfully reproduce the ProxyShell exploit.
Attackers scan for vulnerable Exchange servers
Interesting thing I noticed in MailPot with Exchange servers – somebody has started targeting them using autodiscover.json, a detection avoidance and relatively undocumented feature it appears. pic.twitter.com/MOuTaoOQL2
— Kevin Beaumont (@GossiTheDog) August 2, 2021
While these initial attempts were unsuccessful, last night, after more details about the vulnerability were released, attackers modified their scans to use the new Autodiscover URL disclosed in Tsai’s slide above.
Using the new URL, it appears that the threat actors were successfully able to detect a vulnerable system as it triggers the compilation of the ASP.NET web application.
Jang told BleepingComputer that accessing the URL will cause the ASP.NET worker process (w3wp.exe exe) to compile a web application, as shown in the image below from Beaumont’s honeypot.
Now that threat actors are actively scanning for vulnerable Microsoft Exchange servers, Beaumont advises administrators to use Azure Sentinel to check IIS logs for the “/autodiscover/autodiscover.json” or “/mapi/nspi/” strings.
W3CIISLog | where csUriStem == "/autodiscover/autodiscover.json" | where csUriQuery has "/mapi/nspi/"
If the results list the targeted Autodiscover URL, then threat actors scanned your server for the vulnerability.
Threat actors are actively trying to exploit this vulnerability, with little success so far. However, it is only a matter of time until successful exploitation is achieved in the wild.
It is strongly advised that Microsoft Exchange admins install the latest cumulative updates so they are protected from these vulnerabilities
CVE-2021–34473 is one announced last month (but patch available in April). However, about 50% of internet exposed boxes aren’t patched yet.
— Kevin Beaumont (@GossiTheDog) August 7, 2021
As the ProxyShell vulnerabilities patches have already been released, the attacks should not be as far-reaching as the ProxyLogon attacks we saw in March, which led to ransomware, malware, and data theft on exposed servers.
However, Tsai states that there are currently 400,000 Microsoft Exchange servers exposed on the Internet, so there are bound to be successful attacks.
BleepingComputer has contacted Microsoft about this activity but has not heard back at this time.