The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

ProxyShell Exchange Server Vulnerabilities Exploited in the Wild

by Chris Brook on Monday August 23, 2021

Contact Us
Free Demo
Chat

CISA is urging organizations to patch the vulnerabilities in Exchange Server as soon as possible to prevent the spread ransomware and attackers who have been dropping web shells.

Despite some of the bugs being fixed by Microsoft as early as April, experts are renewing the push to patch vulnerabilities in Exchange Server amid a recent push by attackers to spread ransomware and drop web shells on vulnerable servers.

The three vulnerabilities, CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, collectively nicknamed ProxyShell in April, were fixed in Microsoft's Security Update from May 2021 - CVE-2021-34473 and CVE-2021-34523 were technically fixed in April  but not every organization heeded calls to patch.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) was forced to issue an urgent alert over the weekend encouraging organizations to find systems running vulnerable versions of Exchange Server and patch the vulnerabilities immediately.

“An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,” CISA warned.

It's the first time CISA has explicitly marked one of its alerts as "Urgent."

That’s primarily because of the time sensitive nature of the vulnerabilities and how easy they are to exploit. Several groups are actively exploiting the vulnerabilities, including a ransomware group spreading LockFile ransomware and a rash of attackers dropping web shells that can lead to further trouble for organizations.

Researchers with Huntress Labs said on Friday they saw over 140 web shells dropped on over 1,900 unpatched boxes over a two-day period. In reality, there’s many more vulnerable servers still sitting out there, left unpatched.

Victim organizations so far have run the gamut, from "building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more," according to Huntress' Kyle Hanslovan.

A scan carried out by the SANS Institute via Shodan earlier this month discovered around 30,400 machines vulnerable to all three vulnerabilities, with most of those located in the United States and Germany.

Experts, like Kevin Beaumont, a UK threat intelligence analyst who used to work for Microsoft Threat Protection, warned on Saturday that the ProxyShell vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities that surfaced in March.

CISA pressed agencies to patch the ProxyLogon vulnerabilities in an Emergency Directive back in March after Microsoft pushed an emergency out-of-band security update. It also ordered federal agencies to patch four additional Microsoft Exchange vulnerabilities discovered by the NSA in April.

As Beaumont notes, with ProxyLogon, you had to know the Exchange administrator mailbox to carry out an attack; with ProxyShell, you don't need to know the identity of an Exchange administrator, something that’s made it much easier for attackers over the past month or so. He notes further that because Microsoft didn't assign a CVE to each vulnerability until July, even when they were patched in April and May, may have caused some organizations, especially those who prioritize patching by CVE, to neglect applying the fixes.

ProxyShell, a three-part pre-authentication remote code execution vulnerability, was first discovered by Orange Tsai, a researcher with DEVCORE Research Team during Pwn2Own 2021. He delved into the attack structure further, explaining a recent change in Exchange Server 2013 that apparently led to it as a new attack surface, a few weeks ago at Black Hat.

Tags: Vulnerabilities

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification