In Microsoft Exchange, the three known vulnerabilities that threat actors use to get initial access are often referred to collectively as Proxyshells. These three known vulnerabilities are CVE-2021-34473, CVE-2021-34523, and CVE-2021- 31207. The attackers use these three vulnerabilities by bypassing the authentication and running a remote code as a privileged user. Microsoft has classified the Proxyshell vulnerabilities as critical. However, the proxyshell vulnerability is relatively easy to exploit compared to the other remote code execution vulnerabilities. As a result, the Exchange RCE vulnerabilities are becoming well-known in the hacker community.
The separate vulnerabilities are:
CVE-2021-34473: It is a Microsoft exchange remote code execution vulnerability. In this vulnerability, a flaw occurs in the auto-discover service due to the improper validation of URI. Attackers aim to use the arbitrary code, which the admins mainly use.
It is another Microsoft exchange remote code execution vulnerability in which the entity tried to gain access to that portion of the system that is only accessible by the admins. This occurs due to improper access of the validation token.
When a flaw occurs in the handling of mailbox export, then this vulnerability exists. It happens when a user uploads arbitrary files, and there is no validation of user-supplied data. It is the loophole that attackers can use for accessing the system-level privileges.
Is a flaw that allows unauthenticated attacker in a privileged network position to trigger a remote code execution vulnerability when an administrator runs the `Update-ExchangeHelp` command.
Reasons that make Proxyshell lethal:
Some key reasons show proxyshell exploits are lethal.
As we studied above, the proxyshell is lethal because the combination of these three vulnerabilities has become the cause of massive data leaks and ransomware attacks.
The attackers quickly get elevated unauthorized access to the environment.
If you want to download the ProxyShell Exploit POC tool, then you can download it from https://github.com/ktecv2000/ProxyShell
Stage 1 (CVE-2021-34473):
In the first stage, attackers start attacks by requesting an email address. Next, they perform the Server-side request forgery SSRF attacks against Auto discover. SSRF is the attack in which attackers gather information from the internal systems. This attack is possible when the web application can read and import data from a URL, and there is no proper way to validate input from the client. By automatically connecting Exchange Server and Outlook 2007 clients without the necessity of specific scripts, sophisticated human involvement, or tools like the Office Resource Kit's Custom Installation Wizard, the Auto Discover service streamlines Outlook client deployment. Finally, the request is performed against the target servers, failing when the HTTP status code 200 is not returned. The request will also fail when the legacy information is not in the response, and a request for the distinguished legacy name will be made.
Stage 2 (CVE-2021-34473):
For obtaining the security ID, the SSRF attack is performed by using the MAPI Emsmdb, MAPI EMSMDB. By adding the random values to the legacy, the SID of employing SSRF is given to a faulty MAPI body (Server Side Request Forgery). The HTTP post request calls the Auto discover feature. Stage 2 fails if the malicious post fails or if the outcome does not indicate a user mailbox. We got the SID when it passes, and we can make this SID local administrative by adding 500 if the SID is not admin.
Stage 3 (CVE-2021-34523 and CVE-2021-31207):
We may now use admin SID to gain PowerShell access by using the Auto discover capability and delivering an arbitrary payload. In this stage, we can run the arbitrary code by using PowerShell if the website is accessible due to a flaw.
Stage 4 (CVE-2021-34523):
In this stage, we can manage the WSMV (Web Services Management Protocol) by using PowerShell access. It is the stage when we become prepared for running the exploit.
As far as CVE-2021-31206 goes, this video shows how trivial it is to exploit a vulnerable server.
Monitoring and Investigating:
Mandiant advises that Exchange servers that are currently or were previously susceptible be monitored or investigated for penetration.
New-ExchangeCertificate to write a web shell:
When in New-ExchangeCertificate PowerShell, a web file extension (.ASPX) comprises web shell code a new certificate request suggesting an effort to drop a web shell.
A certificate request file stored as an ASPX file with the extension '.ASPX.REQ' is identified.
Within the decoded system certificate storage, web shellcode can be identified.
Creation of new mailboxes and assigning of permissions to access other mailboxes:
Execution of the New-Mailbox PowerShell cmdlet that isn't tied to valid administrative action or comes from an unauthenticated remote PowerShell session.
Unauthorized accounts with the roles of 'Organization Management' or 'Application Impersonation,' and accounts with 'Full Access' to other mailboxes were identified.
Unauthorized accounts concealed in Exchange address lists are identified.
Unauthorized access via OWA or other email access methods is identified.
How to avoid or mitigate these vulnerabilities:
Here are a few recommendations.
Make sure the patches released from Microsoft are installed. Patching prevents the vulnerability from being abused further. If you've already been hacked, the software fixes won't help you deal with a threat actor's post-exploit conduct.
If the updating is not possible, monitor for suspicious activities and take the server off the internet, making it only accessible for internal users.
Ensure IPS appliances are updated with signatures to detect these threats. Once the treat actor is in your environment an EDR solution will be most effective in stopping them.
You can install sysmon and watch proxyshell-related operations to spot unauthorized exchange file exports.
Siem rules should be updated to identify this activity.
Ensure that all endpoints and servers have host-based protection installed. Check that all of your safeguards are turned on, and your exclusions are kept to a minimum.
We can help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.