With the 2021 editions of the BlackHat and DEF CON security conferences all wrapped up, one of the presentation that made the biggest waves was the latest research from Orange Tsai of Devcore Security Consulting. Tsai was the researcher responsible for identifying and disclosing CVE-2021-26855, better known as ProxyLogon, to Microsoft back in January 2021, well before threat actors were found exploiting it in the wild in March. In his talk, titled “ProxyLogon is Just the Tip of the Iceburg: A New Attack Surface on Microsoft Exchange Server!” Tsai gave a deep dive into Microsoft Exchange Server’s architectures and the potential security weaknesses its complexity creates. During the talk, he discussed three additional vulnerabilities in Microsoft Exchange Server, dubbed ProxyShell, that Microsoft had luckily patched back in April and May.
The vulnerabilities are similar to ProxyLogon in that an attacker only needs HTTPS access to the vulnerable Exchange server, something typically exposed by most administrators to enable Outlook Web Access. Since Tsai’s presentation at BlackHat, security researchers have identified adversaries exploiting ProxyShell in the wild attempting to gain remote access to vulnerable servers. The good news is, if you’re up-to-date on the latest patches for your Exchange server, you are already safe. If you haven’t, you’re getting closer to an “it’s already too late” scenario just like we saw with ProxyLogon back in late March.
If you’re a WatchGuard customer, we expect IPS signatures to become available within a day or two of this post.