Home News Unpatched Microsoft Exchange Servers Under ProxyShell Attack

Unpatched Microsoft Exchange Servers Under ProxyShell Attack

CISA stated that attackers are exploiting three Microsoft Exchange ProxyShell vulnerabilities to execute arbitrary code on vulnerable systems.

SHARE
ProxyShell Vulnerabilities
Read Aloud

While organizations are battling to boost their cybersecurity capabilities, cybercriminals continue to prey on security loopholes. Active exploitation of unpatched vulnerabilities has become a common attack vector today. The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning about threat actors exploiting “ProxyShell” vulnerabilities in Microsoft Exchange servers.

In a security advisory, CISA stated that attackers are exploiting vulnerabilities, tracked as CVE-2021-34473CVE-2021-34523, and CVE-2021-31207, to execute arbitrary code on vulnerable systems. The flaws can enable threat actors to evade ACL controls and obtain privilege access on the Exchange PowerShell backend platform, allowing them to execute unauthenticated and remote code execution.

How were the ProxyShell vulnerabilities used?

ProxyShell vulnerabilities are often exploited to run malicious codes and infect the unpatched servers. Attackers used the three vulnerabilities as:

  • CVE-2021-31207 – This is a Microsoft Exchange Server security feature bypass vulnerability, allowing remote users to bypass the authentication process
  • CVE-2021-34523 – This is a Microsoft Exchange Server Elevation of privilege (EoP) vulnerability, allowing users to raise their permissions.
  • CVE-2021-34523 – This is a Microsoft Exchange Server remote code execution (RCE) vulnerability, allowing authenticated users to execute arbitrary code in the context of SYSTEM and write arbitrary files.

As per IT security firm Sophos, “Adversaries exploiting these vulnerabilities are first dropping web shells onto the compromised device through which they can issue additional commands such as downloading and executing malicious binaries. Sophos has observed threat actors establishing persistence on compromised devices by creating scheduled tasks to execute a suspicious binary periodically. As these vulnerabilities lie in CAS, which runs on IIS, malicious activity will stem from a w3wp.exe process, a worker process for IIS.”

Mitigation

CISA has asked organizations to find and update the vulnerable systems on their network by applying Microsoft’s Security Update from May 2021. Even Microsoft released the latest patch – July 2021 security updates for Microsoft Exchange – and urged companies to update their systems as early as possible.