ProxyLogon Microsoft Exchange exploit is completely out of the bag by now

A security researcher released a new PoC exploit for ProxyLogon issues that could be adapted to install web shells on vulnerable Microsoft Exchange servers.

A security researcher has released a new proof-of-concept exploit that could be adapted to install web shells on Microsoft Exchange servers vulnerable ProxyLogon issues.

Since the disclosure of the flaw, security experts observed a surge in the attacks against Microsoft Exchange mailservers worldwide.

Check Point Research team reported that that in a time span of 24 hours the exploitation attempts are doubling every two hours.

“CPR has seen hundreds of exploit attempts against organizations worldwide” reads the post published by CheckPoint. “In the past 24 hours alone, CPR has observed that the number exploitation attempts on organizations it tracks doubled every two to three hours.”

Most of exploit attempts targeted organizations in Turkey (19%), followed by United States (18%) and Italy (10%). Most targeted sectors have been Government/Military (17% of all exploit attempts), followed by Manufacturing (14%), and then Banking (11%).

Security experts pointed out that the flaws are actively exploited to deliver web shells, and more recently ransomware such as the DearCry ransomware.

Last week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.

The availability of the proof-of-concept code was first reported by The Record.

A few hours after the publication, GitHub took down the PoC hacking tool because it posed a threat to Microsoft’s customers using the Microsoft Exchange solution. 

Jang explained that he has published the PoC code to raise the alert on the recent wave of hacks and give the opportunity to colleagues to study the code use in the attacks.

Experts at Praetorian published a detailed technical analysis of the exploit for the Microsoft Exchange flaws, they performed a reverse-engineering of the CVE-2021-26855 patch and developed a fully functioning end-to-end exploit

During the weekend, another security researcher published a new PoC exploit for the ProxyLogon vulnerabilities. The code is not ready-to-use but requires to be modified to be used to compromise vulnerable Microsoft Exchange servers.

Will Dorman, a vulnerability researcher at the CERT/CC, confirmed the availability of the exploit and that it works.

He pointed out that there is no need to search for exploit in the dark web or on cybercrime/hacking forums, searching it on Google it is possible to find the exploit code.

A joint analysis conducted by Microsoft and RiskIQ allowed to identify more than 100,000 servers still vulnerable.

“Based on telemetry from RiskIQ, we saw a total universe of nearly 400,000 Exchange servers on March 1. By March 9 there were a bit more than 100,000 servers still vulnerable. That number has been dropping steadily, with only about 82,000 left to be updated,” reads a post published by Microsoft last week. “We released one additional set of updates on March 11, and with this, we have released updates covering more than 95% of all versions exposed on the Internet.”

The public availability of PoC exploits and the large number of vulnerable Exchange servers exposed online pose serious risks for organizations.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

[adrotate banner=”5″]

[adrotate banner=”13″]