Microsoft has now issued recommendations for the commonly abused ProxyShell flaws that affect certain on-premises Microsoft Exchange variants.
ProxyShell is a combination of three security vulnerabilities found by Devcore security researcher Orange Tsai (patched in April and May) and used to attack a Microsoft Exchange server during the Pwn2Own 2021 hacking competition:
- CVE-2021-34523 – Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779)
- CVE-2021-34473 – Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
Although Microsoft fully fixed the ProxyShell issues by May 2021, the CVE IDs for the vulnerabilities were not assigned until July, delaying some organizations with unpatched servers from learning that they still had system vulnerabilities on their networks.
Microsoft Mute About Active Assaults
Security experts and the US Cybersecurity and Infrastructure Security Agency (CISA) have previously advised administrators to fix their Exchange servers in order to protect against continuing assaults that began in early August utilizing ProxyShell vulnerabilities.
Despite earlier warnings of ongoing attacks, Microsoft did not notify customers that their on-premises Exchange servers were under attack until today.
“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities,” according to The Exchange Team.
“If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities. Exchange Online customers are also protected (but must make sure that all hybrid Exchange servers are updated).”
To prevent ProxyShell attacks, Microsoft recommends that users install AT LEAST ONE of the required current cumulative updates as well as ALL relevant security patches.
Active Abuse By Multiple Cybercriminals
CISA’s warning on Monday that various threat actors are actively exploiting the ProxyShell vulnerabilities followed a similar one in March advising companies to defend their networks from a wave of attacks.
The March Exchange assaults were coordinated by Chinese state-backed hackers, who targeted tens of thousands of businesses throughout the world with vulnerabilities targeting four zero-day Exchange flaws known as ProxyLogon.
After security researchers and threat actors replicated a viable exploit, attackers are currently scanning for and attacking Microsoft Exchange servers using the ProxyShell vulnerabilities, just as they did in March.
As ProxyShell payloads deployed on Exchange servers were initially innocuous, attackers are increasingly employing LockFile ransomware payloads deployed through Windows domains exploited by Windows PetitPotam vulnerabilities.
To give you a sense of the scope of the problem, security firm Huntress Labs recently reported that by Friday last week, it had discovered more than 140 web shells launched by attackers on over 1,900 hacked Microsoft Exchange servers.
Shodan also monitors tens of thousands of Exchange servers that are vulnerable to ProxyShell assaults, the majority of which are situated in the United States and Germany.
Until Microsoft issues, more instructions on safeguarding and identifying exposed servers against abuse, security researcher Kevin Beaumont’s blog article has extensive information on how to identify unpatched Exchange servers and detect exploitation attempts.