Data Recovery Digest

Originally released decades ago, Microsoft Exchange Server has remained one of the most popular mail servers in existence for more than 25 years. The most recent stable release came in 2018, and while each iteration of the MS Exchange Server has experienced its share of hacks, viruses, and threats, it’s a recent string of attacks that has IT security experts scrambling for a solution.

Investigating the Threat

The most recent attack on MS Exchange Server has put over 100 on-premises instances at-risk – and it doesn’t even involve traditional hacks, viruses, or malware. Instead, the new attacks take advantage of ProxyShell vulnerabilities that are capable of delivering next-gen web shells and ransomware onto the affected systems

But unless you’re an advanced user or IT security expert, you might not understand what some of these terms mean. In that case, it’s difficult to understand the exact scope of the threat at hand.

• Virus: A malicious code that is intended to render the user’s machine inoperable by replicating itself – like a biological virus – over and over again.

• Malware: A shorthand term for malicious software, this is a catch-all phrase that is used to describe any kind of malicious software. This could include viruses, although it mostly centers on ransomware, keyloggers, and similar tools that are used by hackers.

• Ransomware: A particular brutal of malware that attempts to seize control of the affected system and hold it for ransom. In many cases, the system is never unlocked or released to the original user – even after the ransom has been paid.

• Web Shell: A malicious script that is meant to give a hacker persistent access to a target’s system. While web shells don’t contain any tools or additional software for hackers to use, they are often used in tandem with malware or ransomware to maximize their efforts.

Monitoring the Threat

According to the security research team at Huntress Labs, they identified nearly 2,000 client-owned Exchange servers that were vulnerable to the recent ProxyShell attacks. Thankfully, a security patch is already available for users to download and install. Unfortunately, many MS Exchange administrators have a tendency to ignore such patches and updates.

However, ProxyShell doesn’t attack any systems on its own. Remember, it’s still a simple web shell and, as such, it doesn’t include any additional tools. However, the recent attacks have seen malicious actors install no less than five different types of web shells to un-patched MS Exchange Servers. This includes administrators MS Exchange Server 2019, MS Exchange Server 2016, and MS Exchange Server 2013.

It’s through these web shells that the hackers are able to introduce ransomware into the targeted systems. The web shells seen in these recent attacks include XSL Transofrm, Encryprted Reflected Assembly Loader, Jscript Base64, Arbitrary File Uploader, and more.

Moreover, security researchers have noted that the recent attacks have taken some additional steps in an effort to avoid detection, so administrations need to be extra diligent when scanning their systems and attempting to locate any potential threats.