The ProxyShell vulnerabilities in Microsoft Exchange continue to cause headaches for enterprises, as attackers over the last couple of days have stepped up their scanning for and exploitation of the bugs, and in some cases installing ransomware.
The vulnerabilities have been known publicly for several weeks, and MIcrosoft released patches for them in April, although the fixes weren’t disclosed until July. There are three separate bugs that comprise the ProxyShell issue, and they all can lead to arbitrary code execution. There have been active exploitation attempts against these flaws all summer, but the activity took on a new bent toward the end of last week and over the weekend, with an increase in scanning and some new exploitation techniques.
In most cases, attackers are exploiting the vulnerabilities and then installing a webshell, which is a small piece of code that stays resident on the compromised server and can be used for persistence.
“Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year. Back in March of this year, we saw multiple zero-day exploits being used to attack on-premises Exchange servers—and it looks like we’re not out of the woods yet. Those who have not patched since April or May are not safe and could still be exploited,” John Hammond of Huntress Labs wrote in an analysis of the recent attacks.
Although some of the information about the ProxyShell flaws has been public for some time, it wasn’t until Orange Tsai, the researcher who discovered the bugs, revealed complete details at Black Hat earlier this month that the whole picture became clear. Since then, attackers have stepped up their efforts to find and exploit vulnerable servers. Huntress Labs, which works with managed service providers, said it has visibility into more than 1,700 vulnerable servers and has seen about 300 of them compromised in the last few days.
“What was disclosed at Black Hat could easily be replicated now by anyone with some technical chops. Even though the patches came out in April, what we’re seeing now is that obviously not everyone patched,” Hammond said in an interview.
“Anyone who is not totally aware of what’s happening with this may miss it."
There has been a variety of different post-exploitation activity coinciding with the recent attacks, including the installation of the LockFile ransomware, the LemonDuck malware and cryptominer, and other pieces of malware. This follows the installation of a webshell, and Hammond said in some cases the attackers are installing a webshell not in the ASP directory, which is the typical location, but in a separate virtual directory.
"While analyzing one host that was compromised with both ProxyShell and the LockFile ransomware, we uncovered a unique TTP that we had not seen before for ProxyShell activity. The configuration file for the Exchange internet service was modified to include a new ‘virtual directory,’ which practically redirects one URL endpoint to another location on the filesystem. This allows a threat actor to hide a webshell in other uncommon and nonstandard locations, outside of the typically monitored ASP directories. If you don't know to look for this, this is going to slip under the radar and the hackers will persist in the target environment. Additionally, the hidden webshell discovered on this host uses the same XML/XLS transform technique that we have seen previously,” Huntress Labs said in a Reddit thread it is updating on these attacks.
“Anyone who is not totally aware of what’s happening with this may miss it,” Hammond said.
The current scanning and exploit activity is opportunistic rather than targeted, Hammond said, which is typical of widely known vulnerabilities like ProxyShell.