The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers’ servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473.
Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.
“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” members of the Microsoft Security Response Center team wrote.The vulnerability affects on-premises Exchange servers and, strictly speaking, not Microsoft’s hosted Exchange service.Searches on Shodan indicate there are currently more than 200,000 on-premises Exchange servers exposed to the Internet and more than 1,000 hybrid configurations.GTSC went on to say that the malware the threat actors eventually install emulates Microsoft’s Exchange Web Service.People running on-premises Exchange servers should take immediate action.