Hackers Using ProxyLogon And ProxyShell To Attack Microsoft Exchange Servers


Hackers attack Microsoft Exchange servers because they often contain sensitive communication data that can be exploited for several illicit purposes.

Besides this, the widespread use of Microsoft Exchange in enterprises makes it an attractive and high-impact target for cybercriminals.

Three years later, ProxyLogon and ProxyShell vulnerabilities impacted Microsoft Exchange servers.

Recently, the Hunt Research Team discovered a server likely exploiting these flaws to access and steal sensitive government communications across multiple regions, including Afghanistan’s Presidential Palace. 

These vulnerabilities, disclosed in 2021, allow unauthenticated attackers to execute commands and access mailboxes by exploiting server-side request forgery and leveraging legitimate services like Autodiscover and MAPI to impersonate users.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

ProxyLogon & ProxyShell

Sensitive government communications of multiple countries, including Afghanistan and Laos, were discovered on a DigitalOcean server.

The server enabled unauthorized access to user emails via a similar Squirrelwaffle loader exploit code. The server also has an Acunetix Web Vulnerability Scanner with a unique certificate.

The exposed directory, which contained nearly 4,000 files, was promptly secured as soon as it was found.

Hackers Using ProxyLogon And ProxyShell To Attack Microsoft Exchange Servers
Exposed open directories (Source – Hunt)

This indicates that sophisticated attack actors could be targeting governmental sectors across regions. This is evident from the presence of Chinese-language folder names and specific exploit codes used.

Here below, we have mentioned all the countries that are targeted:-

  • Afghanistan
  • Georgia
  • Argentina
  • Laos

A visible server disclosed thousands of files targeting government offices in various countries by exploiting known vulnerabilities with the use of adjusted open-source codes.

However, the conciseness of the exposure situation underscores the fact that malicious actors are still exploiting older vulnerabilities.

The Open Directories feature from Hunt is essential for increasing visibility on such live threats.

IoCs

Hackers Using ProxyLogon And ProxyShell To Attack Microsoft Exchange Servers
IoCs (Source – Hunt)

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo



Source link