Researchers at S.C. Bitdefender SRL today warned of a new wave of attacks using known vulnerabilities to target Microsoft Exchange.

The researchers started to notice an increase in attacks using ProxyNotShell/OWASSRF exploits to target on-premises Microsoft Exchange deployments at the end of November. The Server-Side Request Forgery attacks allow an attacker to send a crafted request from a vulnerable server to a second server, allowing the attacker to access resources and perform actions on the vulnerable server.

SSRF attacks are some of the most popular and routinely exploited vulnerabilities for a reason. In one example, if a web application is vulnerable to SSRF, an attacker might be able to send a request from the vulnerable server to a local network resource that is not ordinarily accessible to the attacker. Alternatively, an attacker might send a request to an external server, such as a cloud service, to perform actions on behalf of the vulnerable server.

The new wave of attacks targeting Microsoft Exchange use multiple techniques to form exploit chains that result in Remote Code Execution. Exchange is particularly vulnerable to exploit choices due to its complex network of frontend and backend services, with legacy code to provide backward compatibility.

Back-end services in Exchange also trust the requests from the front-end container attached storage layer. In the case of an SSRF attack, a valid Kerberos token is generated by CAS. Exchange is also vulnerable from multiple back-end services running as Exchange Server itself, a SYSTEM account, along with the use of Remote PowerShell that hundreds of PowerShell cmdlets. Thrown into the mix is an alphabet soup of known vulnerabilities spanning ProxyLogon, ProxyShell, ProcyNotShell and OWASSRF.

The researchers have observed attacks targeting Exchange servers in the U.S. and parts of Europe and the Middle East across industries such as real estate, lawyers, manufacturing, consulting, wholesale, and arts and entertainment.

Microsoft Exchange users are encouraged to reduce their attack surface by focusing on patch management and the detection of misconfigurations. Organizations should also put in place security controls that cover multiple layers of security, including IP/URL reputation for all endpoints and protection against fileless attacks.

“Modern threat actors often spend weeks or months doing active reconnaissance on networks, generating alerts and relying on the absence of detection and response capabilities,” the researchers conclude. “The best protection against modern cyber-attacks is a defense-in-depth architecture.”

Image: Microsoft