Microsoft Breaks Silence on Barrage of ProxyShell Attacks

versions of the software are affected by a spate of bugs under active exploitations.

Microsoft has broken its silence on the recent barrage of attacks on several ProxyShell vulnerabilities in that were highlighted by a researcher at Black Hat earlier this month.

The company released an advisory late Wednesday letting customers know that threat actors may use unpatched Exchange servers “to deploy ransomware or conduct other post-exploitation activities” and urging them to update immediately.

“Our recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats,” the company said. “Please update now!”
Infosec Insiders NewsletterCustomers that have installed the May 2021 security updates or the July 2021 security updates on their Exchange servers are protected from these vulnerabilities, as are Exchange Online customers so long as they ensure that all hybrid Exchange servers are updated, the company wrote.

“But if you have not installed either of these security updates, then your servers and data are vulnerable,” according to the advisory.

The ProxyShell bugs that Devcore principal security researcher Orange Tsai outlined in a presentation at Black Hat. The three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) enable an adversary to trigger remote code execution on Microsoft Exchange servers. Microsoft said the bugs can be exploited in the following cases:

–The server is running an older, unsupported CU;

–The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or

–The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.

“In all of the above scenarios, you must install one of latest supported CUs and all applicable SUs to be protected,” according to Microsoft. “Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.”

Sounding the Alarm

Following Tsai’s presentation on the bugs, the SANS Internet Storm Center’s Jan Kopriva reported that he found more than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find exploiting then easy to execute, given how much information is available.

Security researchers at Huntress also reported seeing ProxyShell vulnerabilities being actively exploited throughout the month of August to install backdoor access once the ProxyShell exploit code was published on Aug. 6. But starting last Friday, Huntress reported a “surge” in attacks after finding 140 webshells launched against 1,900 unpatched Exchange servers.

The Cybersecurity & Infrastructure Security Agency (CISA) joined those sounding the alarm over the weekend, issuing an urgent alert. They, too, urged organizations to immediately install the latest Microsoft Security Update.

At the time, researcher Kevin Beaumont expressed criticism over Microsoft’s messaging efforts surrounding the vulnerability and the urgent need for its customers to update their Exchange Server security.

“Microsoft decided to downplay the importance of the patches and treat them as a standard monthly Exchange patch, which [has] been going on for – obviously – decades,” Beaumont explained.

But Beaumont said these remote code execution (RCE) vulnerabilities are “…as serious as they come.” He noted that the company did not help matters by failing to allocate CVEs for them until July — four months after the patches were issued.

In order of patching priority, according to Beaumont, the vulnerabilities are: CVE-2021–34473, CVE-2021–34523 and CVE-2021–31207.

CVE-2021-34473, a vulnerability in which a pre-auth path confusion leads to ACL Bypass, was patched in April. CVE-2021-34523, also patched in April, is an elevation of privilege on Exchange PowerShell backend. CVE-2021-31207, a bug in which a post-auth Arbitrary-File-Write leads to remote code execution, was patched in May.

Suggested articles