Threat actors exploit a new set of vulnerabilities in their campaigns after abusing the ProxyLogon flaws trio

Aug 14, 2021 05:08 GMT  ·  By

Microsoft Exchange servers are targeted again this time via a chain of three different vulnerabilities that affect on-premises installations, according to The Hacker News.

Known as ProxyShell, the three vulnerabilities in question can be exploited to allow remote code execution, elevate privileges on the Exchange PowerShell backend, effectively authenticate the attacker, and bypass access control lists (ACLs) on the victim's system.

The vulnerability is tracked as CVE-2021-26855 (ProxyLogon) for server-side request forgery in Exchange Server and serves as an entry point to gain complete control of a vulnerable server. In conjunction with CVE-2021-27065, it can be used to execute code on the server.

Microsoft disclosed the flaws after revealing a Beijing-sponsored cyber operation that used Exchange to target US companies and exfiltrate data. Since then, Microsoft has patched six new vulnerabilities in its mail server component, two of which allow an attacker to recover a user's password in plaintext.

The following are the past and new vulnerabilities impacting Exchange servers: 

ProxyShell: 

  • CVE-2021-34523 - Microsoft Exchange Server Elevation of Privilege Flaw, patched on April 13, advisory released on July 13 
  • CVE-2021-34473 - Microsoft Exchange Server RCE Flaw, patched on April 13, advisory released on July 13 
  • CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Flaw, patched on May 11 
ProxyLogon: 

  • CVE-2021-26858 - Microsoft Exchange Server RCE Flaw, patched on March 2 
  • CVE-2021-27065 - Microsoft Exchange Server RCE Flaw, patched on March 2 
  • CVE-2021-26857 - Microsoft Exchange Server RCE Flaw, patched on March 2 
  • CVE-2021-26855 - Microsoft Exchange Server RCE Flaw, patched on March 2 
ProxyOracle: 
  • CVE-2021-31196 - Microsoft Exchange Server RCE Flaw, patched on July 13 
  • CVE-2021-31195 - Microsoft Exchange Server RCE Flaw, patched on May 11 
Unnamed: 
  • CVE-2021-33768 - Microsoft Exchange Server Elevation of Privilege Flaw, patched on July 13 
While DEVCORE researcher Orange Tsai published technical details of the ProxyShell attack chain at the Black Hat USA 2021 and DEF CON security conferences, the method was originally proven at the Pwn2Own hacking competition in April.

Microsoft strongly recommends that administrators of Exchange Servers install the latest patches provided by the company to prevent exploit attempts.