ProxyShell vulnerabilities actively exploited to deliver web shells and ransomware

Three so-called “ProxyShell” vulnerabilities are being actively exploited by various attackers to compromise Microsoft Exchange servers around the world, the Cybersecurity and Infrastructure Security Agency (CISA) warned over the weekend.

ProxyShell vulnerabilities exploited

The vulnerabilities

The three ProxyShell vulnerabilities that can be connected in a complete exploit chain are as follows.

The vulnerabilities were discovered and the exploit chain demonstrated in action by researcher Orange Tsai and his colleagues from DEVCORE Research Team at the Pwn2Own contest earlier this year. He also talked about it earlier this month at the Black Hat and DEF CON conferences, then released a technical write-ups last week.

Beaumont pointed out that these vulnerabilities are worse than the ProxyLogon flaws (also discovered by Tsai), because they are more easily exploitable.

“They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come,” he noted.

“Additionally, during the ProxyLogon attacks in January-March, attackers needed to know an Exchange administrator mailbox, and hardcoded to administrator@ in proof of concept code. This mailbox only existed if you installed Exchange as that account, and accessed email, which is a minority situation — therefore most orgs got away with it. However, with ProxyShell this does not apply — you do not need to know the identity of an Exchange administrator in advance.”

The vulnerabilities have been patched by Microsoft in April and May 2021, but Microsoft failed to assign CVEs to the vulnerabilities at the time and to adequately promote the fact that these could soon lead to serious problems.

ProxyShell vulnerabilities exploited in the wild

CISA’s warning comes weeks after security researchers Kevin Beaumont and Rich Warren began noticing exploit attempts against their honeypots and repeatedly shared details about them.

Researchers with cybersecurity company Huntress have also been sharing IoCs of active attacks delivering web shells and – later – coin miners and ransomware (LockFile, as detailed by Symantec’s threat hunter team).

Unfortunately, many enterprise administrators have yet to update on-premise Microsoft Exchange servers to protect them against exploitation:

Beaumont has provided an nmap plugin organizations can use to identify unpatched systems and has urged them to implement the needed patches.

Of course, those who have yet to patch the flaws should also check whether their machines have already been popped by attackers. Beaumont’s post and the write-ups shared by Huntress researchers and Symantec offer more information on what to search for.

Don't miss