ProxyShell Exchange Server Vulnerabilities Exploited in the Wild
CISA is urging organizations to patch the vulnerabilities in Exchange Server as soon as possible to prevent the spread ransomware and attackers who have been dropping web shells.
Despite some of the bugs being fixed by Microsoft as early as April, experts are renewing the push to patch vulnerabilities in Exchange Server amid a recent push by attackers to spread ransomware and drop web shells on vulnerable servers.
The three vulnerabilities, CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, collectively nicknamed ProxyShell in April, were fixed in Microsoft's Security Update from May 2021 - CVE-2021-34473 and CVE-2021-34523 were technically fixed in April but not every organization heeded calls to patch.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) was forced to issue an urgent alert over the weekend encouraging organizations to find systems running vulnerable versions of Exchange Server and patch the vulnerabilities immediately.
“An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,” CISA warned.
It's the first time CISA has explicitly marked one of its alerts as "Urgent."
That’s primarily because of the time sensitive nature of the vulnerabilities and how easy they are to exploit. Several groups are actively exploiting the vulnerabilities, including a ransomware group spreading LockFile ransomware and a rash of attackers dropping web shells that can lead to further trouble for organizations.
Researchers with Huntress Labs said on Friday they saw over 140 web shells dropped on over 1,900 unpatched boxes over a two-day period. In reality, there’s many more vulnerable servers still sitting out there, left unpatched.
Victim organizations so far have run the gamut, from "building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more," according to Huntress' Kyle Hanslovan.
A scan carried out by the SANS Institute via Shodan earlier this month discovered around 30,400 machines vulnerable to all three vulnerabilities, with most of those located in the United States and Germany.
Experts, like Kevin Beaumont, a UK threat intelligence analyst who used to work for Microsoft Threat Protection, warned on Saturday that the ProxyShell vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities that surfaced in March.
CISA pressed agencies to patch the ProxyLogon vulnerabilities in an Emergency Directive back in March after Microsoft pushed an emergency out-of-band security update. It also ordered federal agencies to patch four additional Microsoft Exchange vulnerabilities discovered by the NSA in April.
As Beaumont notes, with ProxyLogon, you had to know the Exchange administrator mailbox to carry out an attack; with ProxyShell, you don't need to know the identity of an Exchange administrator, something that’s made it much easier for attackers over the past month or so. He notes further that because Microsoft didn't assign a CVE to each vulnerability until July, even when they were patched in April and May, may have caused some organizations, especially those who prioritize patching by CVE, to neglect applying the fixes.
ProxyShell, a three-part pre-authentication remote code execution vulnerability, was first discovered by Orange Tsai, a researcher with DEVCORE Research Team during Pwn2Own 2021. He delved into the attack structure further, explaining a recent change in Exchange Server 2013 that apparently led to it as a new attack surface, a few weeks ago at Black Hat.
A New Attack Surface on Microsoft Exchange! The series covers most of my Black Hat USA and DEFCON talks (with slides and video inside). More articles and vulnerabilities are coming soon! https://t.co/lkup5hdyz9
— Orange Tsai (@orange_8361) August 6, 2021