New Microsoft Exchange Server Vulnerability Exploited by Threat Actors

TL;DR: A new vulnerability in Microsoft Exchange Server has been exploited by threat actors. The vulnerability, known as ProxyLogon, allows attackers to remotely execute code on vulnerable systems. The vulnerability has been exploited by a number of threat actors, including the Hafnium group, which is believed to be state-sponsored by China. Organizations that are using Exchange Server should apply the security updates as soon as possible and take steps to harden their Exchange Servers against attack. Organizations should also monitor their networks for signs of exploitation of the vulnerability and take steps to contain the attack if it is detected.

A new vulnerability in Microsoft Exchange Server has been exploited by threat actors. The vulnerability, known as ProxyLogon, allows attackers to remotely execute code on vulnerable systems. The vulnerability has been exploited by a number of threat actors, including the Hafnium group, which is believed to be state-sponsored by China.

The ProxyLogon vulnerability is a remote code execution vulnerability in the Microsoft Exchange Server mail server software. The vulnerability exists in the way that Exchange Server handles certain authentication requests. An attacker can exploit the vulnerability by sending a specially crafted request to an Exchange Server. If the Exchange Server is not properly configured, the attacker can execute arbitrary code on the system.

The ProxyLogon vulnerability has been exploited by a number of threat actors. The Hafnium group, which is believed to be state-sponsored by China, has been exploiting the vulnerability to gain access to the networks of organizations in the United States and other countries. The Hafnium group has been using the access to steal data from the organizations.

Microsoft has released security updates to address the ProxyLogon vulnerability. Organizations that are using Exchange Server should apply the security updates as soon as possible. Organizations should also take steps to harden their Exchange Servers against attack. These steps include:

  • Configuring Exchange Server to use Transport Layer Security (TLS) for all communication.
  • Configuring Exchange Server to use a strong authentication mechanism, such as multi-factor authentication.
  • Disabling the use of the Autodiscover feature.
  • Disabling the use of the Exchange Web Services (EWS) feature.

Organizations should also monitor their networks for signs of exploitation of the ProxyLogon vulnerability. These signs include:

  • The appearance of new accounts on the network that do not belong to authorized users.
  • The appearance of new files on the network that do not belong to authorized users.
  • The appearance of new processes running on the network that do not belong to authorized users.

If an organization detects signs of exploitation of the ProxyLogon vulnerability, the organization should take steps to contain the attack. These steps include:

  • Isolating the affected systems from the network.
  • Disconnecting the affected systems from the internet.
  • Restoring the affected systems from a backup.

The ProxyLogon vulnerability is a serious security issue. Organizations that are using Exchange Server should apply the security updates as soon as possible and take steps to harden their Exchange Servers against attack. Organizations should also monitor their networks for signs of exploitation of the vulnerability and take steps to contain the attack if it is detected.

Text and images Copyright © Cybersecurity Essential.

All rights reserved. Contact us to discuss content use.

Use of this website is under the conditions of the Cybersecurity Essential Terms of Service.

Privacy is important and our policy is detailed in our Privacy Policy.

Google Services

How Google uses information from sites or apps that use our services

See the Cookie Information and Policy for our use of cookies and the user options available.