CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
99.9%
Over the weekend, the Cybersecurity & Infrastructure Security Agency (CISA) issued an urgent alert that attackers are actively attacking ProxyShell vulnerabilities in unpatched Microsoft Exchange Servers, joining researchers in urging organizations to immediately install the latest Microsoft Security Update.
Security researchers at Huntress reported seeing ProxyShell vulnerabilities being actively exploited throughout the month of August to install backdoor access once the ProxyShell exploit code was published on Aug. 6. But starting Friday night, Huntress reported a âsurgeâ in attacks after finding 140 webshells launched against 1,900 unpatched Exchange servers.
âImpacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport and more,â Huntress researcher Kyle Hanslovan said in an Aug. 20 tweet.
Considering the industries represented, itâs unsurprising that CISA jumped in to call for organizations to shore up defenses against the wave of attacks.
Huntress researcher John Hammond, working in collaboration with Kevin Beumont and Rich Warren, were able to establish that in addition to webshell attacks, threat actors were also exploiting ProxyShell to deliver LockFile ransomware.
The most common webshells deployed against Exchange servers was XSL Transform (used 130 times), followed by Encrypted Reflected Assembly Loader, Comment Separation and Obfuscation of the âunsafeâ Keyword, Jscript Base64 Encoding and Character Typecasting and Arbitrary File Uploader, according to Huntress.
The Huntress team analyzed one system infected with ProxyShell and LockFile ransomware and found a unique tactic.
âThe configuration file for the Exchange internet service was modified to include a new âvirtual directory,â which practically redirects one URL endpoint to another location on the filesystem,â Huntressâ John Hammond wrote.
He explained this helps an attacker hide the webshell outside of areas monitored by ASP directories.
âIf you donât know to look for this, this is going to slip under the radar and the hackers will persist in the target environment. Additionally, the hidden webshell discovered on this host uses the same XML/XLS transform technique that we have seen previously,â Hammond advised.
> This is a new technique for #ProxyShell we havenât seen before. Adds another just a slight layer of stealth and opens the opportunity to hide webshells in other locations, not strictly in a public web directory. <https://t.co/WY71UJMiL0>
>
>
> â John Hammond (@_JohnHammond) August 23, 2021
ProxyShell attacks were first publicly documented at Black Hat in early August by Devcore researcher Orange Tsai. Just a week later, a Shodan scan by the SANS Internet Storm Centerâs Jan Kopriva found more than 30,000 vulnerable Exchange Servers.
Yet, many servers remain unpatched against ProxyShell attacks.
Researcher Kevin Beaumont is critical of Microsoftâs messaging efforts surrounding the vulnerability and the critical need for its customers to update their Exchange Server security.
âMicrosoft decided to downplay the importance of the patches and treat them as a standard monthly Exchange patch, which [has] been going on for â obviously â decades,â Beaumont explained. âYou may remember how much negative publicity Marchâs Exchange patches caused Microsoft, with headlines such as âMicrosoft emails hackedâ.â
But Beaumont said these remote code execution (RCE) vulnerabilities are ââŠas serious as they come.â
âTo make matters worse, Microsoft failed to allocate CVEs for these vulnerabilities until July â 4 months after the patches were issued,â he wrote. âGiven many organizationsâ vulnerability [to] manage via CVE, it created a situation where Microsoftâs customers were misinformed about the severity of one of the most critical enterprise security bugs of the year.â
In order of patching priority, according to Beaumont, the vulnerabilities are: CVE-2021â34473, CVE-2021â34523 and CVE-2021â31207.
Beaumont said he worked with Shodan to add a plug-in to identify vulnerable systems. He added that Microsoft should be asked to pay bug bounties for on-premise Exchange servers and criticized the company, saying it had âcompletely failed to deal with their own problemsâ while openly touting bugs in other vendorsâ problems, like Netgear.
For its part, CISA is cautioning every organization to update Exchange software as soon as possible.
âCISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoftâs Security Update from May 2021 â which remediates all three ProxyShell vulnerabilities â to protect against these attacks,â the alert said.
Check out our free upcoming live and on-demand webinar eventsâ unique, dynamic discussions with cybersecurity experts and the Threatpost community.
doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c
pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096
peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
t.co/WY71UJMiL0
threatpost.com/category/webinars/
threatpost.com/exchange-servers-attack-proxyshell/168661/
threatpost.com/how-to-reduce-exchange-server-downtime/168344/
twitter.com/hashtag/ProxyShell?src=hash&ref_src=twsrc%5Etfw
twitter.com/KyleHanslovan/status/1428804893423382532
twitter.com/_JohnHammond/status/1429798045571371008?ref_src=twsrc%5Etfw
us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell
www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit
www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
99.9%