Attackers Exploit ProxyShell Flaws In Microsoft Exchange Servers

Attackers Exploit ProxyShell Flaws In Microsoft Exchange Servers

The US’ main security agency has issued a warning about active exploitation attempts of the “ProxyShell” vulnerabilities targeting Microsoft Exchange systems. These flaws were patched earlier this May, including against deployment of LockFile ransomware on compromised systems.

Three security issues (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) in Exchange servers allow adversaries to bypass ACL controls, elevate privileges and execute unauthenticated code.

“An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,” CISA said. “An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,” CISA said.

Microsoft has issued patches for CVE-2021-34473 and CVE-2021-34523 flaws on April 13, and CVE-2021-31207 was patched in the Windows maker’s May Patch Tuesday.

This comes a week after researchers warned about attackers looking for unpatched Exchange servers trying to exploit ProxyShell flaws.

The flaws were first presented at the Pwn2Own hacking contest in April this year by Orange Tsai, a security researcher from DEVCORE. He discovered several critical flaws called ProxyLogon, ProxyShell, and ProxyOracle, which could allow an attacker to execute arbitrary code remotely, recover a user’s password, and more.

“They’re backdooring boxes with webshells that drop other webshells and also executables that periodically call out,” researcher Kevin Beaumont noted last week.

According to Huntress Labs researchers, over a hundred attacks were reported against Microsoft Exchange servers in August alone. The company has identified at least five variants of web shells that were deployed to the vulnerable servers. However, it’s not clear what the goals of the attacks were or how big was the impact.

In total, over 140 web shells have been discovered targeting Exchanger servers, according to Huntress Labs CEO Kyle Hanslovan. The attacks have affected various industries such as building manufacturing, seafood processors, industrial machinery, and auto repair shops.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: