Home / About / Threat Intelligence / Active Scanning for Vulnerable Exchange servers (ProxyShell)

What is it?

Researchers presenting at the Black Hat 2021 security conference have released further details on Exchange vulnerabilities from April. Following the presentation, active scanning for vulnerable servers has been observed.

What is the impact?

According to the security researcher, Orange Tsai, “These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443”

Are my systems vulnerable?

The following products may be vulnerable if unpatched.
Current estimates point to around 400,000 vulnerable machines exposed to the Internet.

  • Exchange Server 2013 up to CU23
  • Exchange Server 2016 up to CU20
  • Exchange Server 2019 up to CU9

Microsoft recommend using their Exchange Server Health Checker script to get an inventory of server patch levels.

How do I mitigate this threat?

The security update from April has fixes for two of the vulnerabilities and the third was patched in May.

Indicators of Compromise

185[.]18[.]52[.]155
192[.]111[.]134[.]68

Azure Sentinel KQL query

W3CIISLog
| where csUriStem == “/autodiscover/autodiscover.json”
| where csUriQuery has “/mapi/nspi/”

Further Information

CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
Reproducing The ProxyShell Pwn2Own Exploit by PeterJson – Medium
Kevin Beaumont on Twitter