Skip to main content
close search
site logo
Dive Brief

Microsoft Exchange vulnerabilities targeted in ProxyShell attacks

Published Aug. 24, 2021 Updated Sept. 7, 2021
David Jones's headshot
Reporter
Sean Gallup via Getty Images

UPDATE: Sept. 7, 2021: Conti affiliates are using ProxyShell exploits to target organizations during ransomware attacks, according to Sophos research. 

ProxyShell evolved from earlier ProxyLogon attacks and has been observed in recent ransomware attacks, including those used during deployment of the LockFile ransomware, according to Sophos. In the ransomware attacks, dwell times accelerated from what previously took weeks to hours or even faster. 

Meanwhile, researchers at Mandiant responded to ProxyShell exploitation activity, linked to threat actor UNC2980, involving a U.S.-based university in August, according to a blog posted on Friday. The threat actor was observed exploiting CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 to upload webshells.

UPDATE: Aug. 26, 2021: Microsoft updated its Exchange server guidance, urging users to install the latest security updates. Customers are protected if they have installed either the May 2021 or the July 2021 updates, Microsoft said.

Huntress, with the help of security researcher Florian Roth, found evidence of configuration file modification before August in some of the hidden webshells in Exchange. Those modifications predate the previous ProxyShell timeline, Huntress said.

Dive Brief:

  • Months after a nation-state linked campaign against Microsoft Exchange led to malicious exploits against tens of thousands of devices, threat actors are exploiting vulnerabilities known as ProxyShell, in order to install backdoors and enable remote code execution on vulnerable machines, researchers found.

  • Malicious cyber actors are actively exploiting three vulnerabilities, CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, the Cybersecurity and Infrastructure Security Agency said Saturday. CISA urged organizations to identify vulnerable systems and immediately apply a Microsoft security update from May 2021.  

  • Huntress Labs data shows the number of unpatched and vulnerable servers has dropped from about 1,900 over the weekend to about 1,764. But the number of compromised servers and incident reports has risen from about 100 to 300, according to John Hammond, senior security researcher at Huntress. Coinciding with the attack, the security firm is now seeing crypto mining activity dubbed WannaMine and ransomware activity from a new group identified as LockFile.

Dive Insight:

At the BlackHat 2021 conference earlier this month, Orange Tsai, principal security researcher at DevCore, highlighted the new attack surface on Microsoft Exchange. Eight vulnerabilities, dating back to January of this year, were linked to the new attack surface on Microsoft Exchange and chained into three attacks: ProxyLogon, ProxyOracle and ProxyShell. 

ProxyLogon was first disclosed on March 2 and is linked to the Hafnium campaign associated with the attacks against Microsoft Exchange. 

The new ProxyShell attacks should not be confused with the ProxyLogon attacks seen during March, Hammond said. However, a similar indicator of compromise occurs in the presence of a malicious .ASPX webshell in the Exchange server’s public web directory. 

"Mandiant has recently observed ProxyShell exploitation across a range of customers and industries," Stuart McKenzie, senior vice president, Mandiant Consulting, EMEA, said via email. "In particular, it is being used by attackers to create webshells on vulnerable systems."

A number of security researchers have developed and released proof of concept code, McKenzie said. That has made it even more difficult to attribute the ProxyShell activity to any one group of threat actors. 

"This means that any group could be leveraging the exploit and organizations who have not patched are vulnerable to attack," McKenzie said. "The patch rates of ProxyShell are low and we would urge companies to apply patches as quickly as possible."

Microsoft officials urged customers to apply security updates released following the Hafnium attacks. 

"We released security updates to help keep our customers safe and protected against this attack technique," Microsoft told Cybersecurity Dive via email. "We recommend that customers adopt a strategy to ensure they are running supported versions of software and promptly install security updates as soon as possible after each monthly security release."

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Torus Unveils Integrated Energy Storage and AI-Driven Cybersecurity Solutions
From Torus
October 24, 2024
Abbott Laboratories Employees Credit Union (“ALEC”) Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
Varsity Brands Data Breach Investigation
From Migliaccio and Rathod LLP
October 15, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell