Quote:Researchers’ Microsoft Exchange server honeypots are being actively exploited via ProxyShell: The name of an attack disclosed at Black Hat last week that chains three vulnerabilities to enable unauthenticated attackers to perform remote code execution (RCE) and snag plaintext passwords.
 
In his Black Hat presentation last week, Devcore principal security researcher Orange Tsai said that a survey shows more than 400,000 Exchange servers on the internet that are exposed to the attack via port 443. On Monday, the SANS Internet Storm Center’s Jan Kopriva reported that he found more than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find it a snap to pull off, given how much information is available.
 
Going by calculations tweeted by security researcher Kevin Beaumont, this means that, between ProxyLogon and ProxyShell, “just under 50 percent of internet-facing Exchange servers” are currently vulnerable to exploitation, according to a Shodan search.

On the plus side, Microsoft has already released patches for all of the vulnerabilities in question, and, cross your fingers, “chances are that most organizations that take security at least somewhat seriously have already applied the patches,” Kopriva wrote.

The vulnerabilities affect Exchange Server 2013, 2016 and 2019.