Aperture Podcast: Josh Grunzweig on ProxyLogon Exchange Zero-Day Exploits
By Michael Mimoso | March 18, 2021
Tens of thousands of U.S.-based organizations have reportedly been compromised by threat actors exploiting four zero-day vulnerabilities in Microsoft Exchange on-premises servers. These incidents, on the heels of the SolarWinds supply-chain attacks, have made for a harrowing start to 2021 for many enterprises.
The Exchange attacks—dubbed ProxyLogon—are severe and likely to linger for some time. Victimized organizations are at risk for having their emails stolen, and attackers have also figured out how to chain these vulnerabilities to gain remote-code execution on compromised systems. Already we’ve seen ransomware attacks and the installation of cryptocurrency mining software utilizing exploits for these vulnerabilities.
On this episode of the Aperture Podcast, Josh Grunzweig of Volexity joins to discuss the zero days. The Volexity research team was the first to discover and disclose in-the-wild attacks, allegedly by a Chinese APT group, exploiting these flaws dating back to early January.
Microsoft has since patched these vulnerabilities in an out-of-band emergency release, and this week, the company released a one-click mitigation tool to help with patching. Before Microsoft was able to provide public mitigations, attackers spent the better part of two weeks in a frenzy, compromising as many Exchange servers as possible, leaving behind webshells that can be used for a variety of remote attacks.
During the podcast, Grunzweig shares some details about how Volexity researchers first spotted the attacks on customer machines, what they observed, and how they determined that something more than backdoored systems was in the works.
“What we determined to be the case was that there was an [authentication] bypass vulnerability in Exchange that allowed this threat actor to essentially target specific individuals within this organization that they were very interested in,” Grunzweig recalled. “They were just dumping their inboxes, their sent folders, their draft folders. They were just pulling down as much information as they could from these key figures.”
Throughout the podcast, Grunzweig also discusses:
- How attackers are compromising vulnerable Exchange servers
- What the short- and long-term consequences are from these attacks
- The controversy over proof-of-concept code that was released