Lucene search

K
threatpostElizabeth MontalbanoTHREATPOST:83C349A256695022C2417F465CEB3BB2
HistoryAug 26, 2021 - 12:39 p.m.

Microsoft Breaks Silence on Barrage of ProxyShell Attacks

2021-08-2612:39:54
Elizabeth Montalbano
threatpost.com
134

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.2

Confidence

High

EPSS

0.973

Percentile

99.9%

Microsoft has broken its silence on the recent barrage of attacks on several ProxyShell vulnerabilities in that were highlighted by a researcher at Black Hat earlier this month.

The company released an advisory late Wednesday letting customers know that threat actors may use unpatched Exchange servers “to deploy ransomware or conduct other post-exploitation activities” and urging them to update immediately.

“But if you have not installed either of these security updates, then your servers and data are vulnerable,” according to the advisory.

The ProxyShell bugs that Devcore principal security researcher Orange Tsai outlined in a presentation at Black Hat. The three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) enable an adversary to trigger remote code execution on Microsoft Exchange servers. Microsoft said the bugs can be exploited in the following cases:

–The server is running an older, unsupported CU;

–The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or

–The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.

“In all of the above scenarios, you must install one of latest supported CUs and all applicable SUs to be protected,” according to Microsoft. “Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.”

Sounding the Alarm

Following Tsai’s presentation on the bugs, the SANS Internet Storm Center’s Jan Kopriva reported that he found more than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find exploiting then easy to execute, given how much information is available.

Security researchers at Huntress also reported seeing ProxyShell vulnerabilities being actively exploited throughout the month of August to install backdoor access once the ProxyShell exploit code was published on Aug. 6. But starting last Friday, Huntress reported a “surge” in attacks after finding 140 webshells launched against 1,900 unpatched Exchange servers.

The Cybersecurity & Infrastructure Security Agency (CISA) joined those sounding the alarm over the weekend, issuing an urgent alert. They, too, urged organizations to immediately install the latest Microsoft Security Update.

At the time, researcher Kevin Beaumont expressed criticism over Microsoft’s messaging efforts surrounding the vulnerability and the urgent need for its customers to update their Exchange Server security.

“Microsoft decided to downplay the importance of the patches and treat them as a standard monthly Exchange patch, which [has] been going on for – obviously – decades,” Beaumont explained.

But Beaumont said these remote code execution (RCE) vulnerabilities are “…as serious as they come.” He noted that the company did not help matters by failing to allocate CVEs for them until July — four months after the patches were issued.

In order of patching priority, according to Beaumont, the vulnerabilities are: CVE-2021–34473, CVE-2021–34523 and CVE-2021–31207.

CVE-2021-34473, a vulnerability in which a pre-auth path confusion leads to ACL Bypass, was patched in April. CVE-2021-34523, also patched in April, is an elevation of privilege on Exchange PowerShell backend. CVE-2021-31207, a bug in which a post-auth Arbitrary-File-Write leads to remote code execution, was patched in May.

References

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.2

Confidence

High

EPSS

0.973

Percentile

99.9%