Hackers ‘Abusing’ Microsoft Exchange Server Vulnerabilities: Huntress

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Threat researcher Huntress is warning MSPs of on-premise Microsoft Exchange Server ProxyShell vulnerabilities that could be exploited by cybercriminals as early as this weekend.

Huntress has seen 140-plus webshells on Microsoft Exchange Server 2013, 2016, and 2019. The threat researcher said it has uncovered 1,900 plus unpatched boxes in 48 hours.

“Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year,” said Huntress threat hunter John Hammond in a blog posted Thursday.

The Exchange Server on-premise alert comes just five months after Huntress alerted MSPs to the scope and scale of a blockbuster Microsoft Exchange on premises breach that was initiated by Chinese state sponsored hackers.

At that time, the Elliott City, Maryland-headquartered Huntress revealed that the scope and scale of the on premise Exchange server exploit was much greater than Microsoft initially indicated.

“Back in March of this year, we saw multiple zero-day exploits being used to attack on-premises Exchange servers—and it looks like we’re not out of the woods yet,” said Hammond in Thursday’s blog post. “Those who have not patched since April or May are not safe and could still be exploited.”

Huntress is recommending that MSPs update the latest security patch, “monitor for new indicators of compromise and stay up to date on new information as it is released.” Huntress has promised to update the latest post with new findings as it gets them.

Hackers are exploiting vulnerabilities in ProxyShell to “install a backdoor for later access and post-exploitation,” said Hammond. “This ProxyShell attack uses three chained Exchange vulnerabilities to perform unauthenticated remote code execution.”

A Microsoft spokesperson said that “customers who have applied the latest updates are already protected against these vulnerabilities.”

Michael Goldstein, CEO of LAN Infotech, a Fort Lauderdale, Fla., solution provider, said the Exchange server on premise attack is another sign of the relentless pace of cyber attacks.

“This is exasperating,” he said. “This ongoing…