Threat actors are exploiting three ProxyShell vulnerabilities in Microsoft Exchange. Here's what you need to know.
On August 21, 2021, CISA issued an urgent security update regarding ProxyShell vulnerabilities. Threat actors are leveraging the vulnerabilities to bypass access control, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. Microsoft issued a patch in May for the below vulnerabilities:
- CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.
- CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
- CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of the system and write arbitrary files.
Quick facts: what you need to know now
- Threat actors can leverage the three vulnerabilities together on unpatched servers to install a backdoor into the server that can be used at a later time.
- There has been some correlation between these vulnerabilities and ransomware, particularly the new LockFile Ransomware.
- The affected products include Microsoft Exchange servers that have not been updated since April 2021.
Next Steps for All Microsoft Exchange Customers
We encourage all organizations running outdated versions of on premise Microsoft Exchange to take the following steps to mitigate against potential attack:
- Update your Exchange server(s) to the latest released version.
- Review your Exchange server to determine whether it was compromised by searching the directories below for the presence of any suspicious web files:
- C:\Program Files\Microsoft\Exchange Server\V*\FrontEnd\HttpProxy\owa\auth\
- Check the security tooling exclusions you have on your Exchange servers. For internet facing Exchange servers, for example, it is risky to allowlist all activity from w3wp.exe (IIS), as Microsoft recommends — you may be allowing attackers to go undetected.
- If you identify any suspicious activity
- Immediately disconnect the server from the network while keeping the power on; and
- Notify Corvus of a potential claim via firstname.lastname@example.org (Cyber policyholders) or email@example.com (Tech E&O policyholders). We will then connect you to counsel and a forensics firm to ensure your organization properly investigates, mitigates, and responds to the threat.