According to an alert released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), cybercriminals are currently exploiting the so-called ProxyShell Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
CISA Warns against ProxyShell Attacks
The agency’s strong advice is for organizations to identify vulnerable systems on their networks and patch them via Microsoft’s Security Update from May 2021.
The update fixes all three ProxyShell flaws and protects against the attacks. If vulnerable systems remain unpatched, threat actors could exploit the flaws to perform arbitrary code execution.
The vulnerabilities were demonstrated earlier this year during the Pwn2Own hacking contest. In fact, the ProxyShell exploit is part of a more extensive chain consisting of ProxyLogon and ProxyOracle exploits.
The ProxyLogon Vulnerabilities
The ProxyLogon vulnerabilities include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Affected versions include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019.
To be successfully initiated, an attack requires an untrusted connection to a specific Exchange server port, 443. This loophole can be protected by restricting untrusted connection, or by setting up a VPN to separate the server from external access. However, these mitigations tricks only offer partial protection. Security researchers warn that other portions of the chain attack can be triggered if an attacker already has access or can convince an administrator to run a malicious file.
The ProxyOracle Exploit
“Compared with ProxyLogon, ProxyOracle is an interesting exploit with a different approach. By simply leading a user to visit a malicious link, ProxyOracle allows an attacker to recover the user’s password in plaintext format completely,” security researcher Orange Tsai wrote a couple of months ago. ProxyOracle consists of two bugs: CVE-2021-31195 and CVE-2021-31196.
In terms of the current attacks based on the ProxyShell exploit, ethical hacker Kevin Hanslovan recently tweeted that he “has seen 140+ webshells across 1900+ unpatched boxes in 48hrs. Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport and more.” To repeat CISA’s urgent advice, organizations should identfy vulnerable networks to avoid these attacks.