Cyberattacks Against Microsoft Exchange Servers Escalate As PoCs Posted Online

Cyberattacks Against Microsoft Exchange Servers Escalate As PoCs Posted Online

Public proof-of-concept (PoC) exploits for ProxyLogon in Microsoft Exchange Servers are posted online and sparking a frenzy of attacks.

Researchers warn cyber-activity against Microsoft Exchange Servers is likely to accelerate after the disclosure of the ProxyLogon group of security flaws in Microsoft Exchange Servers.

At first, advanced persistent threats (APTs) were the first at the plate targeting vulnerable Exchange servers. But after the PoCs became public the less sophisticated cybercriminals will try to get their pieces of the pie.

“APTs…can reverse engineer the patches and make their own PoCs,” Roger Grimes, data-driven defense evangelist at KnowBe4, told Threatpost. “But publicly posted PoCs mean that the thousands of other hacker groups that don’t have that level of sophistication can do it, and even those groups that do have that sophistication can do it faster.”

A security researcher Will Dorman of CERT/CC tweeted, “How did I find this exploit? Hanging out in the dark web? A hacker forum? No. Google search.” He confirmed the efficacy of the new public PoCs he’d found just by googling.

Researchers predict attacks on Exchange servers will be even more widespread in light of the hundreds of thousands of yet-to-be-patched machines in use and after some users posted PoCs for anyone to grab online. Last week, a security researcher Nguyen Jang published a PoC on GitHub. GitHub was quick to remove it, but it was up for grabs for several hours.

Then on the weekend, another PoC appeared, as confirmed by CERT/CC’s Dormann.

Adding to the mix, on March 8, Praetorian researchers published a technical analysis of the CVE-2021-26855 bug, which details how they created an exploit by reverse-engineering Microsoft’s patch.

Then there’s been news that the original exploit used by Chinese APTs could have leaked via Microsoft’s information-sharing program by or from one of its Chinese security partners.

“Some of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say,” according to the WSJ report. “Microsoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.”

The good news is Microsoft released a one-click utility for mitigating flaws in its Exchange Servers that could help contain the spread of the current attack frenzy.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.