According to a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack.
And Microsoft has warned of a new family of human operated ransomware attacks, detected as Ransom:Win32/DoejoCrypt.A, which attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers. The heavy exploitation of the flaws by cybercriminals is as a result of a proof-of-concept (PoC) code shared on GitHub by a security researcher which has now been taken down by Microsoft.
How ProxyLogon allows an attacker to access victims' Exchange Servers?
The successful weaponization of the Exchange Servers flaws allows an attacker to gain persistent system access and control of an enterprise network.
There was a rapid expansion of attacks aimed at vulnerable Exchange Servers, with several threat actors exploiting the vulnerabilities before they were eventually patched by Microsoft last week, and with the new ransomware threat, unpatched Servers are not only at risk of data theft but also becoming potentially encrypted, thus preventing access to organization's mail.
With thousands of entities, including the European Banking Authority, have been breached via ProxyLogon to install a web-based backdoor called the China Chopper web shell which grants attackers the ability to plunder mailboxes and remotely access target systems.
Microsoft believes that the initial attacks originates from Hafnium, a state-sponsored hacker group operating out of China, and besides the installation of the web shell, other behaviors tied to Hafnium activity include conducting reconnaissance of victim environments by the deployment of batch scripts that automate functions like network discovery, account enumeration, and credential-harvesting.
Other groups discovered to be exploiting the vulnerabilities prior to the patch release are Websiic, Tick, LuckyMouse, Calypso, and Winnti (APT41), with others such as ShadowPad, Mikroceen, and DLTMiner compromising Exchange servers days immediately after the release of the fixes.
How to Mitigate against the ProxyLogon flaws
The avalanche of attacks is a warning to users to patch all versions of the Exchange Server as soon as possible, and take necessary steps to identify signs of compromise, given that attackers were exploiting the zero-day vulnerabilities in the wild for months before Microsoft released the patches.
Therefore, the best advice to mitigate the vulnerabilities is to apply the relevant patches, and organizations will need to shift into response and remediation activities to counter any existing intrusions.