Pierluigi Paganini March 12, 2021

Researchers warn of a surge in cyber attacks against Microsoft Exchange servers exploiting the recently disclosed ProxyLogon vulnerabilities.

Researchers at Check Point Research team reported that threat actors are actively exploiting the recently disclosed ProxyLogon zero-day vulnerabilities in Microsoft Exchange.

On March 2nd, Microsoft released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild.

Check Point Research team reported that that in a time span of 24 hours the exploitation attempts are doubling every two hours.

“CPR has seen hundreds of exploit attempts against organizations worldwide” reads the post published by CheckPoint. “In the past 24 hours alone, CPR has observed that the number exploitation attempts on organizations it tracks doubled every two to three hours.”

Most of exploit attempts targeted organizations in Turkey (19%), followed by United States (18%) and Italy (10%). Most targeted sectors have been Government/Military (17% of all exploit attempts), followed by Manufacturing (14%), and then Banking (11%).

Below the details of the ProxyLogon vulnerabilities:

• The first zero-day, tracked as CVE-2021-26855, is a server-side request forgery (SSRF) vulnerability in Exchange that could be exploited by an attacker to authenticate as the Exchange server by sending arbitrary HTTP requests.
• The second flaw, tracked as CVE-2021-26857, is an insecure deserialization vulnerability that resides in the Unified Messaging service. The flaw could be exploited by an attacker with administrative permission to run code as SYSTEM on the Exchange server.
• The third vulnerability, tracked as CVE-2021-26858, is a post-authentication arbitrary file write vulnerability in Exchange.
• The last flaw, tracked as CVE-2021-27065, is a post-authentication arbitrary file write vulnerability in Exchange.

The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.

According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. The group historically launched cyber espionage campaigns aimed at US-based organizations in multiple industries, including law firms and infectious disease researchers.

In past campaigns, HAFNIUM attackers also interacted with victim Office 365 tenants. 

The availability online of PoC exploit tool online pose a serious risk to organizations.

This week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.

The availability of the proof-of-concept code was first reported by The Record.

The availability of the exploit online was immediately noticed by several cyber security experts, including Marcus Hutchins.

A few hours after the publication, GitHub took down the PoC hacking tool because it posed a threat to Microsoft’s customers using the Microsoft Exchange solution. 

Experts believe that cybercrime organizations and state-sponsored group could exploit the code in like attacks,

ESET researchers pointed out that other threat actors, such as cybercrime Tick, LuckyMouse, and Calypso, had also been exploiting the ProxyLogon flaws before Microsoft addressed them.

Microsoft researchers also spotted a ransomware gangs that is exploiting ProxyLogon flaws to spread a piece of malware tracked as DearCry.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

[adrotate banner=”5″]

[adrotate banner=”13″]