Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit#103
Update #2 - 08/21/2021 @ 2:03am ET - Included five distinct webshell payloads
Update #1 - 08/21/2021 @ 1:19am ET - Included clarification on ProxyShell vs. ProxyLogon
Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year.
Back in March of this year, we saw multiple zero-day exploits being used to attack on-premises Exchange servers—and it looks like we’re not out of the woods yet. Those who have not patched since April or May are not safe and could still be exploited.
We recommend you update to the latest security patch, monitor for new indicators of compromise and stay up-to-date on new information as it is released. We will continue to update this post with new findings.
The pace of webshell activity slowed down a bit through the night but is still going. During this time, we built some simple analytics to highlight the patch levels
Collaboration with industry security researchers Kevin Beaumont and Rich Warren have helped corroborate that the webshell and LockFile ransomware incidents we’re seeing within companies may be related:
We’ll continue to keep the community updated as things progress.
In the month of August (not limited to the past 48hr surge), we've currently observed at least five distinct styles of webshells deployed to vulnerable Microsoft Exchange servers:
- XSL Transform (most common, over 130 occurrences)
- Encrypted Reflected Assembly Loader
- Comment Separation and Obfuscation of the "unsafe" Keyword
- JScript Base64 Encoding and Character Typecasting
- Arbitrary File Uploader
We've seen a number of questions about whether Exchange 2010 is vulnerable. As mentioned below, the ProxyShell exploit chains three separate vulnerabilities to get code execution.
"Microsoft will no longer [provide] security fixes for vulnerabilities that may make the server vulnerable to security breaches"
We strongly advise against running an EOL'd 2010 server in 2021.
Hackers are exploiting vulnerabilities in Microsoft Exchange, dubbed ProxyShell, to install a backdoor for later access and post-exploitation. This ProxyShell attack uses three chained Exchange vulnerabilities to perform unauthenticated remote code execution.
- CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.
- CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
- CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of
systemand write arbitrary files.
Huntress is seeing attackers actively exploiting these vulnerabilities against vulnerable Exchange servers. Our team has sent over 100 incident reports related to this exploit in the last two days, August 17 and 18.
It is imperative that you update your Exchange servers to the latest released patches. At a minimum, please ensure that you have the July 2021 updates installed. You can view the installed hotfixes by running the command
systeminfoin an administrative command prompt. The output in the “Hotfixes” section should include the Knowledge Base (KB) identifiers appropriate for your Exchange version, listed below.
Here is a list of patch levels and appropriate hash for MSExchangeRPC service binary to indicate fully patched as of July 2021:
Exchange 2019 CU10 + KB5004780 = v15.2.922.13
Exchange 2019 CU9 + KB5004780 = v15.2.858.15
Exchange 2016 CU21 + KB5004779 = v15.1.2308.14
Exchange 2016 CU20 + KB5004779 = v15.1.2242.12
Exchange 2013 CU23 + KB5004778 = v15.0.1497.23
So far, Huntress has found webshells written in subdirectories within the Exchange installation path. Typically, these files have a random filename, while some are human readable.
Below is a short snippet of webshells we have discovered:
Note that these are not pure ASPX files. Examining the magic bytes and file header will explain this is instead a Microsoft Outlook email folder.
Upon further inspection of this file (with simple
stringsor viewing in a hex editor), you will find valid code that may often execute code with an eval statement or allow further uploading of files.
This attack chain was presented at Black Hat USA ‘21 in Orange Tsai’s presentation, “ProxyLogon is Just the Tip of the Iceberg.” For a detailed explanation on the attack chain, see:
Orange Tsai had also provided a text-based writeup of the attack chain for the Zero Day Initiative following the Pwn2Own contest, which you can find here.