High-severity Microsoft Exchange 0-day under attack threatens 220,000 servers - Ars Technica

Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world.

The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers’ servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473.

Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

“​​At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” members of the Microsoft Security Response Center team wrote.

The vulnerability affects on-premises Exchange servers and, strictly speaking, not Microsoft’s hosted Exchange service.

Searches on Shodan indicate there are currently more than 200,000 on-premises Exchange servers exposed to the Internet and more than 1,000 hybrid configurations.

GTSC went on to say that the malware the threat actors eventually install emulates Microsoft’s Exchange Web Service.

People running on-premises Exchange servers should take immediate action.