Researchers have identified 140+ webshells launched against 1,900 unpatched Microsoft Exchange servers.
The Cybersecurity & Infrastructure Security Agency (CISA) issued an urgent security alert about a sudden and unexpected rise in ProxyShell attacks. The agency has joined hands with the cybersecurity community to spread awareness among organizations to immediately install the latest security update in which Microsoft released patches for Exchange Servers vulnerabilities.
This time around, cybercriminals are targeting a wide range of industries and organizations concerning CISA.
140 Webshells Launched Against Unpatched Servers
Cybersecurity firm Huntress reportedly has discovered 140 webshells launched against 1,900 unpatched Microsoft Exchange servers. Researchers noticed that the ProxyShell vulnerabilities are being exploited by different attackers, aiming to compromise MS Exchange servers across the globe.
Keep your Exchange servers safe this weekend. @HuntressLabs has seen 140+ webshells across 1900+ unpatched boxes in 48hrs. Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport and more. #ProxyShell pic.twitter.com/clhQ0E5rnR
— Kyle Hanslovan (@KyleHanslovan) August 20, 2021
The researchers further noted that the ProxyShell vulnerabilities were exploited actively throughout August while threat actors tried to install backdoor access after exploiting the ProxyShell code. The surge in these attacks was noticed from Friday night onwards.
In a tweet posted on August 20, Huntress researcher Kyle Hanslovan revealed that the impacted organizations are incredibly diverse.
“Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport, and more,” Hanslovan tweeted.
Threat Actors Delivering LockFile Ransomware Too
Huntress researcher John Hammond collaborated with Rich Warren and Kevin Beumont to determine how extensively threat actors exploit these vulnerabilities. According to their analysis, three different MS Exchange Server vulnerabilities are exploited via a transmission protocol port 442 to execute arbitrary commands without any authentication.
The most common webshells launched against unpatched Exchange servers include XSL Transform, which was used 130 times, Arbitrary File Uploader, Comment Separation, and Obfuscation of the “unsafe” Keyword, Encrypted Reflected Assembly Loader, and Jscript Base64 Encoding and Character Typecasting.
In addition to this, researchers identified that threat actors were exploiting ProxyShell for delivering LockFile ransomware.
The Unique Tactic
The research team assessed a system already infected with LockFile ransomware and ProxyShell and identified an unusual attack tactic where the Exchange internet service configuration file was modified, and a new virtual directory was inserted. This directory helps in redirecting a URL endpoint to another location on the filesystem.
This is a new technique for #ProxyShell we haven't seen before. Adds another just a slight layer of stealth and opens the opportunity to hide webshells in other locations, not strictly in a public web directory. https://t.co/WY71UJMiL0
— John Hammond (@_JohnHammond) August 23, 2021
According to Hammond, the attacker can hide the webshell outside of ASP directories’ monitored areas through this tactic.
“If you don’t know to look for this, this is going to slip under the radar and the hackers will persist in the target environment. Additionally, the hidden webshell discovered on this host uses the same XML/XLS transform technique that we have seen previously,” Hammond wrote in his tweet.
About The vulnerabilities
The three ProxyShell vulnerabilities that are exploited include the following:
- CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass
- CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend
- CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE
DEVCORE Research Team’s researcher Orange Tsai discovered these vulnerabilities and demonstrated the exploit chain at the Black Hat and DEF CON conferences and later published detailed information. Beaumont published an nmap plugin that organizations can use to identify unpatched systems.