Exchange Vulnerability ProxyShell Is Actively Attacked After Disclosure – Computer – News

Several security companies and government agencies are warning about vulnerabilities in Microsoft Exchange. These are collectively known as ProxyShell and are actively attacked after they were made public at the BlackHat conference.

The warnings come from: the Dutch Digital Trust Center and security researchers like Kevin Beaumont. The vulnerabilities allow remote code execution on Exchange servers, without the need for authentication.

It is an attack that consists of three different vulnerabilities, which together have been named ProxyShell. The attacks target the Client Access Service and PowerShell, which is where the name comes from.

The vulnerabilities make it possible to access control list in firewalls, then use PowerShell to run a local privilege escalation to set up. The third vulnerability can then be used to execute code.

The vulnerabilities are not new; they were discovered weeks ago during hacker competition Pwn2Own. Security researcher Orange Tsai from Devcore discovered the vulnerabilities and won $200,000 for it.

Now Tsai has made his findings public during Black Hat security conference, which took place in Las Vegas last week. ProxyShell is very similar to ProxyLogon, an attack vector recently released by Tsai.

Now that the vulnerabilities are public, both Tsai and other security researchers are seeing servers under active attack. Microsoft has already released updates in April and May that fix the bugs. Nevertheless, Tsai sees that there are still at least 400,000 servers accessible from the internet that have not yet implemented the patches.

–