A group of ransomware gangs has exploited recently disclosed ProxyShell vulnerabilities to hack into Microsoft Exchange servers. The hackers, known as LockFile, have encrypted Windows domains. ProxyShell is the name given to an attack that comprises three chained Microsoft Exchange vulnerabilities. Because of these vulnerabilities, the hackers managed to do unauthenticated and remote code execution. Interestingly, the development comes close on the heels of Huntress warning about it. 140-plus web shells on Microsoft Exchange Server 2013, 2016, and 2019 were seen by the threat researcher. Huntress had uncovered found over 1,900 unpatched boxes in less than two days. Talking about it, Huntress threat hunter John Hammond had said that ransomware gangs were actively scanning for vulnerable Microsoft Exchange servers. “They were trying to abuse all the latest Microsoft Exchange vulnerabilities that the tech giant had patched in May 2021,” John Hammond said in a blog post. Huntress had alerted about it just five months after it alerted about the on-premises breach. Chinese state-sponsored hackers were behind it. At that time, Huntress had said that the scope and scale of the attack were much more than what was initially anticipated by Microsoft.
“Earlier in March this year, hackers were trying to attack on-premises Exchange servers as multiple zero-day exploits were witnessed by us. The scenario has not improved much since then. Vulnerabilities that have not been patched since then are not safe and therefore there are many chances of them being exploited,” said Hammond. The Elliott City, Maryland-headquartered Huntress had recommended that all latest security patches much be updated by MSPs. “Monitoring for any indications of compromise is important. Also, staying updated on new information as and when it is released is crucial to avoid any untoward incidents,” the blog post reads. Huntress had even promised to keep updating the blog with all the new updates as it gets them. Hammond said that vulnerabilities in ProxyShell are being exploited to install a backdoor. “These hackers would the backdoor for later access. The backdoor can be used to upload other programs and execute them.” LockFile gang then uses these things to take over a domain controller and ultimately the Windows domain. Things got more complicated as there was not much known about the LockFile ransomware operation. It was first seen in July but there was no particular branding.
Microsoft spokesperson had said that users who had applied for the latest updates are free from any kind of vulnerabilities. Meanwhile, experts are of the view that the Exchange server on-premise attack shows that the pace of cyber-attacks has increased. “This is frustrating as such incidents are a major problem for MSPs. This is a wake-up call millions of customers worldwide,” said Michael Goldstein, CEO of LAN Infotech. Cyber experts are recommending users to move to the cloud. Though they feel that even the cloud is not perfect, it manages to provide a lot of security when compared to on-premise Exchange servers. Also, the cloud needs very little attention. “The on-premises solutions require your regular attention as they need to be updated daily and weekly. This could be a tiresome task for many users and therefore it always leaves a space for exploitation. Also, it requires a lot of expertise to make things work properly,” he said. There are several service providers who are reaching out to their customers and asking them to shift to the cloud with Office 365. The only reason customers are sticking to on-premise Exchange servers is that it seems that the cost for hosting MSPs would be cheaper. “But this is not the case when you would consider all the vulnerabilities that come along,” an expert was quoted as saying.