CISA warns admins to urgently patch Exchange ProxyShell bugs

The US Cybersecurity and Infrastructure Security Agency (CISA) issued its first alert tagged as “urgent,” warning admins to patch on-premises Microsoft Exchange servers against actively exploited ProxyShell vulnerabilities.

“Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207,” CISA warned over the weekend.

“CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”

These three security flaws (patched in April and May) were discovered by Devcore security researcher Orange Tsai, who used them to compromise a Microsoft Exchange server in April’s Pwn2Own 2021 hacking contest:

• CVE-2021-34473 – Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779)
• CVE-2021-34523 – Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779)
• CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)

Actively exploited by multiple threat actors

This warning comes after similar ones alerting organizations to defend their networks from the wave of attacks that hit tens of thousands of organizations worldwide in March, with exploits targeting four zero-day Microsoft Exchange bugs known as ProxyLogon.

Even though Microsoft fully patched the ProxyShell bugs in May 2021, they didn’t assign CVE IDs for the three security vulnerabilities until July, thus preventing some organizations who had unpatched servers from discovering that they had vulnerable systems on their networks.

After additional technical details were recently disclosed, both security researchers and threat actors could reproduce a working ProxyShell exploit.

Then, just as it happened in March, attackers began scanning for and hacking Microsoft Exchange servers using the ProxyShell vulnerabilities.

After breaching unpatched Exchange servers, threat actors drop web shells that allow them to upload and execute malicious tools.

While, in the beginning, the payloads were harmless, attackers have begun deploying LockFile ransomware payloads delivered across Windows domains compromised using Windows PetitPotam exploits.

So far, US-based security firm Huntress Labs said it found over 140 web shells deployed by attackers on more than 1,900 compromised Microsoft Exchange servers until Friday.

Shodan is also tracking tracking ten of thousands of Exchange servers vulnerable to attacks using ProxyShell exploits, most of them located in the US and in Germany.

More than 18% of Exchange servers remain unpatched for the ProxyShell vulnerability. Nearly 40% are vulnerable to CVE-2021-31206: https://t.co/7yetz9GoJw pic.twitter.com/0r2AOQsibB

— Shodan (@shodanhq) August 11, 2021

“New surge in Microsoft Exchange server exploitation underway,” NSA Cybersecurity Director Rob Joyce also warned over the weekend. “You Must ensure you are patched and monitoring if you are hosting an instance.”

The NSA has also reminded defenders this weekend that the guidance published in March on hunting for web shells is still applicable to these ongoing attacks.

Detailed information on how to identify Microsoft Exchange servers that need patching against ProxyShell and how to detect exploitation attempts can be found in the blog post published by security researcher Kevin Beaumont.