Attackers combine proxy shell holes and attack Microsoft Exchange

Attackers combine proxy shell holes and attack Microsoft Exchange

Admin should update Microsoft Exchange due to attacks. After successful attacks, attackers can execute malicious code. Security updates have been in place since May and July. After successful attacks, attackers probably place a back door on systems for later access.

By combining three loopholes (CVE-2021-34473 “critical“, CVE-2021-34523”critical“, CVE-2021-31207”middle“) attackers can remotely circumvent the authentication, obtain higher user rights and ultimately execute malicious code. Exchange servers are then considered to have been completely compromised.

According to the search engine Shodan, 7857 exchanger servers are currently vulnerable in Germany.

(Image: Shodan)

Scans for vulnerable systems began a few days ago. Various security researchers are now reporting the first attacks. It can be assumed that the number of attacks will increase. Admins should update their Exchange servers quickly. Microsoft Exchange Server 2013, 2016, 2019 are specifically affected.

According to information from the Shodan search engine, 240,000 Exchange servers worldwide can be reached from the Internet. 46,000 are said to be vulnerable. In this country you come across 50,000 servers, of which over 7800 are vulnerable. Admins can prevent suspicious access to the IIS logs via, for example /autodiscover/autodiscover.json or /mapi/nspi/ determine. With a free scanner from security researcher Kevin Beaumont, admins can test their servers for ProxyShell vulnerability (CVE-2021-34473).

Attackers are currently combining three ProxyShell vulnerabilities. Attacks on CVE-2021-31206 could be imminent.

(Image: Shodan)

It is interesting that over 20,000 servers for further malicious code attacks (CVE-2021-31206 “high“) are vulnerable that have received a security update at the same time. There are no documented attacks yet, but could be imminent. So here, too, the motto is: lease now!


Leave a Reply

Your email address will not be published.