Microsoft has recently posted the guidance today for the currently abused ProxyShell vulnerabilities harming multiple on-premises Microsoft Exchange versions. ProxyShell is an assemblage of three security bugs patched during April and May founded by a security researcher Orange Tsai, who abused them to negotiate a Microsoft Exchange server during the Pwn2Own 2021 hacking contest:
- CVE-2021-34473: Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-34523: Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779)
- CVE-2021-31207: Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
Despite Microsoft fully patched the ProxyShell flaws by May 2021, they didn’t assign CVE IDs for the vulnerabilities until July, avoiding some of the orgs with unpatched servers from finding that they had vulnerable systems on their networks.
Why Microsoft is so silent on Recent Attacks?
Security Researchers and the US Cybersecurity and Infrastructure Security Agency (CISA) have already been alerted to patch their Exchange servers to defend against recent attacks using ProxyShell exploits that started in early August.
However, despite all the previous alerts of active attacks, Microsoft was unable to inform customers that their on-premises Exchange servers are under attack until today. “In prior week, security investigators discussed several ProxyShell vulnerabilities, consisting of those which might be exploited on unpatched Exchange servers to setup ransomware or conduct other post-exploitation activities,” The Exchange Team said.
“If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are secured from these vulnerabilities. Exchange servers, then you are also secured (but must make sure that all the hybrid Exchange servers are updated).”
Microsoft also says that the customers have to install AT LEAST ONE of the supported latest aggregate updates and all required security updates to block the ProxyShell attacks. Every Microsoft, Exchange servers are vulnerable if any of the following conditions are valid:
- The server is running an older, unsupported CU.
- The server is running security updates for older, unsupported versions of Exchange that were released in March 2021.
- The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.
Ongoing Exploitation by Multiple Threat Actors
CISA’s Monday alert that different threat actors are currently exploiting the ProxyShell vulnerabilities came after the same ones alerting associations in March to protect their networks from a wave of attacks.
The March Exchange attacks were organized by Chinese state-backed hackers who hit around ten thousand organizations across the world using exploits targeting four zero-day Exchange flaws collectively known as ProxyLogon. As it happened in March, threat attackers are now scanning for and hacking Microsoft Exchange servers using the ProxyShell vulnerabilities after the security investigators and attackers reproduced processing exploits.
While, in the starting, the ProxyShell payloads dropped on Exchange Servers were gentle, threat actors are now setting up the LockFile ransomware payloads transmitted across the Windows domains negotiated through Windows PetitPotam Exploits.
To have a major of the scale of the concern, security firms recently said it discover more than 140 web shells set up by threat actors on over 1,900 negotiated Microsoft Exchange servers by Friday last week. Shodan is also tracking tens of thousands of Exchange servers vulnerable to ProxyShell attacks, most of them located in the US and Germany.
“New operation in Microsoft Exchange server exploitation underway,” NSA Cybersecurity Director Rob Joyce also alert over the weekend. “You must make sure that you are patched and observing if you are hosting an instance.” The NSA also reminded defenders that instructions published in March on hunting for web shells can still be utilized to defend against ProxyShell ongoing attacks.
