Cyberattackers are scanning and exploiting ProxyShell vulnerabilities on unpatched Microsoft Exchange servers.
The ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) were patched by Microsoft as part of May patch updates. One of those, CVE-2021-34473, could result in remote code execution.
Security researchers from Huntress wrote about the new ProxyShell attacks in a blog post:
“Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year.”
Huntress spotted multiple zero-day exploits back in March being used to attack on-premise Exchange servers. Actors appear to be continuing with similar attacks against these ProxyShell vulnerabilities this month.
Moreover, Huntress provided additional updates August 23 to include information on compromised hosts and details on where to find hidden webshells in uncommon or non-standard locations (such as in ‘ProgramData’ or ‘C:\Users\All Users’).
As noted by Threatpost, researchers also discovered threat actors were exploiting ProxyShell vulnerabilities to deliver LockFile ransomware.
Finally, the Cybersecurity and Infrastructure Security Agency (CISA) also issued an urgent alert on the ProxyShell vulnerability exploits on August 21, 2021.
System admins are highly encouraged to patch impacted Exchange servers as soon as possible and monitor for new indicators of compromise as noted in the advisory.
- Microsoft May 2021 Security Updates include fixes for 4 Critical and 3 zero-day vulnerabilities
- FBI removes malicious web shells from hundreds of compromised Microsoft Exchange servers
- Microsoft April 2021 Security Updates, includes fixes for Critical Exchange Server vulnerabilities
- Microsoft: New analysis of Exchange Server vulnerabilities and cyberattacks