ProxyShell Attacks against Exchange Servers warned about by CISA.
Over the weekend, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of
Hostile actors actively exploiting the recently exposed Microsoft Exchange vulnerabilities known as Proxy Shell. The Proxy Shell
Issues, which are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, potentially allow an attacker to execute
Arbitrary code on a target machine. By chaining the weaknesses together, attackers can run code without requiring authentication from a distant location. CVE-2021-34473 and CVE-2021-34523 were patched by Microsoft in April 2021, however, information about them was first revealed in July. In May 2021, patches for CVE-2021-31207 were released. Vulnerabilities were discovered in Microsoft Exchange Server 2013, 2016, and 2019.“CISA strongly advises enterprises to identify vulnerable computers on their networks and immediately deploy Microsoft’s Security Update from May 2021—which addresses all three Proxy Shell vulnerabilities—to protect themselves from these attacks,” CISA writes in its alert. Researchers from security consulting firm DEVCORE exposed the flaws for the first time at the 2021 Pwn2Own hacking competition, earning a $200,000 bug bounty for their findings. Attackers began scanning for vulnerable servers shortly after the details of the security holes were revealed at the Black Hat and DEF CON cybersecurity conferences in early August, and at least 30,000 affected systems are believed to be
accessible from the Internet, with the majority of them located in the United States and Germany. A few days later, actual attacks were observed. Last week, security firm Huntress Labs claimed that attackers used at least five different types of web shells on the infected systems. Over 140 web shells were discovered on over 1,900 unpatched systems, according to the researchers. Multiple threat actors are using the Proxy Shell vulnerabilities, according to security researcher Kevin Beaumont, including in ransomware operations. He points out that the fact that no authentication is necessary prior to exploitation makes these concerns exceedingly significant. “I have been tracking many threat actors, including those operating from US internet service providers and deploying in manners similar to Hafnium back in
January-March,” says Beaumont, who adds that “mass and rising exploitation” has been spotted for weeks. Hundreds of US government systems are vulnerable to Proxy Shell and are currently unpatched, making them easily exploitable.
He points out that these systems have “*.gov SSL certificate hostnames within the United States. Organizations should keep their Exchange servers up to date, or at the very least run a
patch level that addresses these specific security issues, to stay safe.