During Black Hat 2021, a well-known computer security conference, security researcher Orange Tsai showcased a new exploit dubbed “ProxyShell” to remotely attack on-premise Microsoft Exchange servers.

ProxyShell is a set of three security flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) which, when used together, could enable a threat actor to perform unauthenticated, remote code execution (RCE) on unpatched Microsoft Exchange servers.

Adversaries are actively scanning for vulnerable Microsoft Exchange servers through the use of Shodan, GreyNoise and Tenable since the technical details of the exploit were disclosed last week at the Black Hat 2021 conference.

As reported by SANS Internet Storm Center, over 30.000 vulnerable Microsoft Exchange Servers are detected by Shodan.

Scope of the vulnerability

On-premise, unpatched Microsoft Exchange Servers ranging from 2013 until 2019 are vulnerable to the ProxyShell exploit.

The following nmap script could be used to scan the corporate network for any vulnerable Microsoft Exchange servers: https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse

Remediation

Microsoft released patches for ProxyShell vulnerabilities in mid-April, however, the tech giant only published advisories for the flaws in May and July.

The following patches should be installed:

• https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-may-11-2021-kb5003435-028bd051-b2f1-4310-8f35-c41c9ce5a2f1
• https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-april-13-2021-kb5001779-8e08f3b3-fc7b-466c-bbb7-5d5aa16ef064

Mitigation

Block incoming, external traffic over port 443 to corporate Microsoft Exchange servers.

Detection

Successful ProxyShell exploitation can be detected through reverse proxy logs.

Monitor incoming web requests over port 443 against uri_path ‘ /autodiscover/autodiscover.json ‘ containing one of the following strings ‘ (“powershell”,”mapi/nspi”,”mapi/emsmdb”,”/EWS”,”X-Rps-CAT”) ‘ with resulting status code 200, 301 or 302.

Post-exploitation activity can be detected as well by monitoring:

• PowerShell logs from the Exchange server
  • The ‘ New-ManagementRoleAssignment ‘ command is indicative of granting mailbox import/export privileges.
  • The ‘ New-MailboxExportRequest ‘ command is indicative of exporting a user’s mailbox into an UNC path.
• Endpoint logs from the Exchange server
  • Process creation of ‘ MSExchangeMailboxReplication.exe ‘.
  • Process creation of ‘ powershell.exe ‘ or ‘ pwsh.exe ‘ containing ‘ New-MailboxExportRequest* ‘.

Hunting

We advise to query reverse proxy logs for indicators of scanning activity:

• incoming web requests over port 443 against uri_path ‘ /autodiscover/autodiscover.json ‘ containing one of the following strings ‘ (“powershell”,”mapi/nspi”,”mapi/emsmdb”,”/EWS”,”X-Rps-CAT”) ‘ with resulting status code 400, 401 or 404.
• YARA rules to hunt for ProxyShell, provided by Florian Roth: https://github.com/Neo23x0/signature-base/blob/master/yara/expl_proxyshell.yar

Reach out to info@davinsi.com if you need any assistance from our team of security experts.

We hope the following threat advisory assists to react quickly to ongoing threats and urges the need for patching and security monitoring.

References

• https://www.computing.co.uk/news/4035569/microsoft-exchange-server-threat-actors-actively-scanning-proxyshell-vulnerability-researchers-warn
• https://www.youtube.com/watch?v=5mqid-7zp8k
• https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
• https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html?m=1
• https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#exchangepowershell
• https://twitter.com/ber_m1ng/status/1424553393280880640
• https://www.elastic.co/guide/en/security/current/exporting-exchange-mailbox-via-powershell.html
• https://isc.sans.edu/forums/diary/ProxyShell+how+many+Exchange+servers+are+affected+and+where+are+they/27732/