ProxyShell vulnerabilities actively exploited to deliver web shells and ransomware
Three so-called “ProxyShell” vulnerabilities are being actively exploited by various attackers to compromise Microsoft Exchange servers around the world, the Cybersecurity and Infrastructure Security Agency (CISA) warned over the weekend.
The vulnerabilities
The three ProxyShell vulnerabilities that can be connected in a complete exploit chain are as follows.
- CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass
- CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend
- CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE
The vulnerabilities were discovered and the exploit chain demonstrated in action by researcher Orange Tsai and his colleagues from DEVCORE Research Team at the Pwn2Own contest earlier this year. He also talked about it earlier this month at the Black Hat and DEF CON conferences, then released a technical write-ups last week.
Beaumont pointed out that these vulnerabilities are worse than the ProxyLogon flaws (also discovered by Tsai), because they are more easily exploitable.
“They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come,” he noted.
“Additionally, during the ProxyLogon attacks in January-March, attackers needed to know an Exchange administrator mailbox, and hardcoded to administrator@ in proof of concept code. This mailbox only existed if you installed Exchange as that account, and accessed email, which is a minority situation — therefore most orgs got away with it. However, with ProxyShell this does not apply — you do not need to know the identity of an Exchange administrator in advance.”
The vulnerabilities have been patched by Microsoft in April and May 2021, but Microsoft failed to assign CVEs to the vulnerabilities at the time and to adequately promote the fact that these could soon lead to serious problems.
ProxyShell vulnerabilities exploited in the wild
CISA’s warning comes weeks after security researchers Kevin Beaumont and Rich Warren began noticing exploit attempts against their honeypots and repeatedly shared details about them.
Researchers with cybersecurity company Huntress have also been sharing IoCs of active attacks delivering web shells and – later – coin miners and ransomware (LockFile, as detailed by Symantec’s threat hunter team).
Unfortunately, many enterprise administrators have yet to update on-premise Microsoft Exchange servers to protect them against exploitation:
Here’s @HuntressLabs breakdown of Exchange patch levels across ~1900 servers, courtesy of @DaveKleinatland. That’s a lot of potential #ProxyShell carnage. pic.twitter.com/PaMcRuGkRl
— Kyle Hanslovan (@KyleHanslovan) August 21, 2021
Keep your Exchange servers safe this weekend. @HuntressLabs has seen 140+ webshells across 1900+ unpatched boxes in 48hrs. Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport and more. #ProxyShell pic.twitter.com/clhQ0E5rnR
— Kyle Hanslovan (@KyleHanslovan) August 20, 2021
Beaumont has provided an nmap plugin organizations can use to identify unpatched systems and has urged them to implement the needed patches.
Of course, those who have yet to patch the flaws should also check whether their machines have already been popped by attackers. Beaumont’s post and the write-ups shared by Huntress researchers and Symantec offer more information on what to search for.