This was an interesting read this week. Three vulnerabilities have been identified in Microsoft exchanged that if used in combination allow the user to ” perform unauthenticated remote code execution” easily accomplished via the public facing web platform of Microsoft Exchange.
Some attackers have already started using the Proxyshell attacks by modifying configurations in applicationHost.config files in which a new “virtual directory” is set up that tricks the server into hosting files from other locations on the file system. Some attacks leave the Wed shell open for future use, others have been hit with cryptocurrency miners and another with Lockfile ransomware. Yet this is not yet a “centralized, organized and large-scale attack”. The article explains that the pieces/framework is there for an attacker to exploit. It “could” turn into a more critical attack chain if unchecked.
Patching is still being analyzed and decided upon as this is not to be confused with the vulnerabilities and patches that were applied to the ProxyLogon situation in March. Huntress is advising that business apply patches to the Exchange servers thru the July 2021 release.
Article: