Microsoft Exchange Server under ProxyShell attacks

A security warning issued by the U.S. Cybersecurity and Infrastructure Security Agency (US-CISO) has announced that the latest “ProxyShell” Microsoft Exchange vulnerabilities are a target of new active exploitation attempts. According to the warning, devices that have not been updated to the latest security patches that were released in May are under a threat of LockFile ransomware deployment.

Microsoft Exchange Server

Microsoft Exchange Server, an email platform that has long been targeted by state-sponsored hacking organizations, provides email services to numerous businesses and government agencies. If breached, Microsoft Exchange Server can give attackers access to a lot of sensitive information.

ProxyShell is a trio of security vulnerabilities in the Exchange Server that Microsoft has already patched. The vulnerabilities have been officially tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 and have been addressed with security fixes.

However, researchers have raised the alarm that a number of users have still not applied the available patches for ProxyShell and attackers are now actively scanning for those vulnerable servers with attempts to compromise them.

When exploited together, the ProxyShell bugs in the Exchange Server can provide a threat actor with the ability to conduct remote code execution (RCE) on unpatched systems without authentication. As per what has been revealed, the three vulnerabilities can be remotely exploited through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS.  More details reveal that one of the components of the ProxyShell attack chain specifically targets the Microsoft Exchange Autodiscover service that makes it possible to auto-configure a mail client software with minimal user interaction.

The danger is real.

According to researchers, Exchange Server vulnerabilities have been found to have at least five different web shell attack methods. A disturbing fact is that only for the period between August 17 and August 18, more than 100 attacks aimed at the ProxyShell flaws have been reported. Most of them have allowed for remote access to the hacked servers, however, the criminal actors may have exploited the flaws in ways that have not been clarified yet.

As per some recent statistics, more than 140 web shells have been detected across more than 1,900 unpatched Exchange servers, and they have impacted organizations in different sectors including manufacturing, industrial machinery, auto repair shops, seafood processors and building.

A cumulative update (KB5001779) for CVE-2021-34473 and CVE-2021-34523 is available since April this year, and a CVE-2021-31207 fix was released in May. All vulnerable users should immediately apply the available fixes to mitigate the risks related to them.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment