The number of servers vulnerable to the Exchange ProxyLogon flaw is continuing to drop, but there are still nearly 30,000 unpatched servers online and many of them appear to have multiple webshells installed by attackers.
Security firm Kryptos Logic on Tuesday said it had scanned 250,000 unique IP addresses for the vulnerability and found 29,796 vulnerable servers. The company also found more than 97,000 webshells installed across more than 15,000 individual IP addresses. That data shows that things are moving in the right direction, as last week Kryptos Logic reported more than 62,000 vulnerable servers.
Microsoft released emergency fixes for four vulnerabilities in Exchange three weeks ago now, and the most serious of those bugs is a server-side request forgery issue (CVE-2021-26855) that attackers can use to gain initial access to Exchange servers. The three other vulnerabilities patched in early March can be used for further movement on the server. Public exploit code is widely available for the SSRF flaw and researchers have identified many separate attack groups that are targeting the flaw, and they’re seeing plenty of success, unfortunately.
“We’ve come to a point now that the original spread was a drive-by, let’s get as many webshells out in the ether as possible. Whether you’re the original actor or not, those webshells are out there and available,” said John Hammond, senior security researcher at Huntress Labs.
“We’re a few weeks in now and people are sharing fragments of public exploits so now it’s open season even more than it already was.”
With tens of thousands of servers still vulnerable, attackers are seizing the opportunity to not just steal sensitive data and gain persistent access to networks, but also to install ransomware and maximize the potential profit to be had. At least two separate strains of ransomware have been seen as part of incidents involving the Exchange bug, including DearCry, and the Lemon Duck botnet has started targeting the flaw, too. Although the patches have been available for three weeks now, some of the servers that are still vulnerable may never be updated, and even some that have been patched may still have active webshells on them that attackers can still access.
“Knowing the filename of the webshell and the HTTP variable is all you need. Because there’s so much threat intel out there on these webshells, it wouldn’t be very hard for a threat actor to find one and brute force the key,” Hammond said.
“The patch conversation has a lot of paths to it. There is a point where if you haven’t patched, you kind of throw your hands in the air and say it’s time to go home.”
If patching is not an option at the moment, Microsoft has released instructions for mitigating the vulnerabilities, and has also published a tool that will help find and remove existing webshells on compromised servers.