August 13, 2021

Threat actors are actively exploiting Microsoft Exchange servers using the ProxyShell vulnerability to install backdoors for later access.

According to a recent update released by security researcher Kevin Beaumont and NCC Group vulnerability researcher Rich Warren, ProxyShell is an attack that uses three linked Microsoft Exchange vulnerabilities to execute unauthenticated remote code.

Devcore Principal Security Researcher, Orange Tsai revealed that the ProxyShell exploits use Microsoft Exchange’s AutoDiscover feature to conduct an SSRF attack. Warren’s example, shared with BleepingComputer, showed that the web shells consist of a simple authentication-protected script that threat actors can use to upload files to the compromised Microsoft Exchange server.

Since threat actors are already exploiting vulnerable Microsoft Exchange servers, Beaumont advises administrators to perform Azure Sentinel queries to confirm whether or not their devices have been scanned, and advises those who have recently updated their Microsoft Exchange server to do so immediately.

For more information, read the original story in BleepingComputer.