Microsoft has finally published guidance today for the actively exploited ProxyShell vulnerabilities impacting multiple on-premises Microsoft Exchange versions.
ProxyShell is a collection of three security flaws (patched in April and May) discovered by Devcore security researcher Orange Tsai, who exploited them to compromise a Microsoft Exchange server during the Pwn2Own 2021 hacking contest:
- CVE-2021-34473 – Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-34523 – Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779)
- CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
Although Microsoft fully patched the ProxyShell bugs by May 2021, they didn’t assign CVE IDs for the vulnerabilities until July, preventing some orgs with unpatched servers from discovering that they had vulnerable systems on their networks.
Microsoft silent on active attacks
Security researchers and the US Cybersecurity and Infrastructure Security Agency (CISA) have already warned admins to patch their Exchange servers to defend against ongoing attacks using ProxyShell exploits that started in early August.
However, despite all previous warnings of active attacks, Microsoft failed to inform customers that their on-premises Exchange servers are under attack until today.
“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities,” The Exchange Team said. [emphasis ours]
“If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities. Exchange Online customers are also protected (but must make sure that all hybrid Exchange servers are updated).”
Microsoft says that customers must install AT LEAST ONE of the supported latest cumulative updates and ALL applicable security updates to block ProxyShell attacks.
Per Microsoft, Exchange servers are vulnerable if any of the following conditions are true:
- The server is running an older, unsupported CU;
- The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or
- The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.
Active exploitation by multiple threat actors
CISA’s Monday warning that multiple threat actors are actively exploiting the ProxyShell vulnerabilities came after similar ones alerting organizations in March to defend their networks from a wave of attacks.
The March Exchange attacks were orchestrated by Chinese state-backed hackers who hit tens of thousands of organizations worldwide using exploits targeting four zero-day Exchange bugs collectively known as ProxyLogon.
Just as it happened in March, attackers are now scanning for and hacking Microsoft Exchange servers using the ProxyShell vulnerabilities after security researchers and threat actors reproduced a working exploit.
While, in the beginning, the ProxyShell payloads dropped on Exchange servers were harmless, attackers are now deploying LockFile ransomware payloads delivered across Windows domains compromised via Windows PetitPotam exploits.
To have an idea of the scale of the issue, security firm Huntress Labs recently said it found more than 140 web shells deployed by attackers on over 1,900 compromised Microsoft Exchange servers by Friday last week.
Shodan is also tracking tens of thousands of Exchange servers vulnerable to ProxyShell attacks, most of them located in the US and Germany
“New surge in Microsoft Exchange server exploitation underway,” NSA Cybersecurity Director Rob Joyce also warned over the weekend. “You must ensure you are patched and monitoring if you are hosting an instance.”
Until Microsoft releases further guidance on protecting and detecting vulnerable servers against exploitation, you can find detailed info on how to identify unpatched Exchange servers and how to detect exploitation attempts in the blog post published by security researcher Kevin Beaumont.