Threat researcher Huntress is warning MSPs of on-premise Microsoft Exchange Server ProxyShell vulnerabilities that could be exploited by cybercriminals as early as this weekend.
Huntress has seen 140-plus webshells on Microsoft Exchange Server 2013, 2016, and 2019. The threat researcher said it has uncovered 1,900 plus unpatched boxes in 48 hours.
“Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year,” said Huntress threat hunter John Hammond in a blog posted on Thursday.
The Exchange Server on-premise alert comes just five months after Huntress alerted MSPs to the scope and scale of a blockbuster Microsoft Exchange on premises breach that was initiated by Chinese state sponsored hackers.
At that time, Huntress revealed that the scope and scale of the on premise Exchange server exploit was much greater than Microsoft initially indicated.
“Back in March of this year, we saw multiple zero-day exploits being used to attack on-premises Exchange servers – and it looks like we’re not out of the woods yet,” said Hammond in Thursday’s blog post. “Those who have not patched since April or May are not safe and could still be exploited.”
Huntress is recommending that MSPs update the latest security patch, “monitor for new indicators of compromise and stay up to date on new information as it is released.” Huntress has promised to update the latest post with new findings as it gets them.
Hackers are exploiting vulnerabilities in ProxyShell to “install a backdoor for later access and post-exploitation,” said Hammond. “This ProxyShell attack uses three chained Exchange vulnerabilities to perform unauthenticated remote code execution.”
Huntress said its team has sent out over 100 incident reports related to the on premise Exchange server exploit on Tuesday and Wednesday alone.
Hammond said it is “imperative” that Exchange servers are updated with the latest patches. “As a minimum, please ensure that you have the July 2021 updates installed,” he wrote. “You can view the installed hotfixes by running the command systeminfo in an administrative command prompt.”
Huntress CEO Kyle Hanslovan in a Twitter post urged MSPs and customers to “keep your Exchange servers safe” this weekend.
“Huntress Labs has seen 140-plus webshells across 1,900 unpatched boxes in 48hrs,” he tweeted. “Impacted orgs thus far include building mfgs (manufacturers), seafood processors, industrial machinery, auto repair shops, a small residential airport and more.”
Additional reporting by Michael Novinson