{"id":19094,"date":"2021-08-26T23:44:01","date_gmt":"2021-08-26T23:44:01","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=19094"},"modified":"2021-08-27T22:16:43","modified_gmt":"2021-08-27T22:16:43","slug":"microsoft-issues-proxyshell-advisory-after-attacks-begin","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/microsoft-issues-proxyshell-advisory-after-attacks-begin\/","title":{"rendered":"Microsoft Issues ProxyShell Advisory After Attacks Begin"},"content":{"rendered":"

Microsoft this week issued an advisory<\/a> about three vulnerabilities referred to collectively as ProxyShell days after security researchers at a federal government cybersecurity agency warned that cybercriminals were actively trying to exploit them.<\/p>\n

The ProxyShell vulnerabilities that affect Microsoft Exchange servers were put on full display at this month\u2019s Black Hat 2021 conference when Devcore researcher Orange Tsai \u2013 who originally uncovered the vulnerabilities \u2013 compromised a Microsoft Exchange server by exploiting them during a session at the event.<\/p>\n

The three vulnerabilities are CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. They could lead to escalation of privileges and remote code execution if exploited, enabling hackers to execute arbitrary code on a vulnerable machine, according to a warning<\/a> issued by the Cybersecurity and Infrastructure Security Agency (CISA).<\/p>\n

In its own advisory, Microsoft this week urged organizations running Exchange servers to install patches issued in security updates in May<\/a> and July<\/a>, which protect against the vulnerabilities.<\/p>\n

\u201cBut if you have not installed either of these security updates, then your servers and data are vulnerable,\u201d Microsoft researchers said, adding that \u201cseveral times\u201d the company has said<\/a> that \u201cit is\u00a0critical<\/em>\u00a0to keep your Exchange servers updated with latest available Cumulative Update (CU) and Security Update (SU).\u201d<\/p>\n

Further reading: Top Patch Management Tools<\/a><\/p>\n

Microsoft Faces Criticism for Response<\/h2>\n

Microsoft is catching criticism from some cybersecurity researchers for not being forceful enough over the past several months in warning customers about the threats posed by ProxyShell and urging them to get the vulnerabilities patched.<\/p>\n

Security researcher Kevin Beaumont in a blog post<\/a> said patches issued in April and May close the vulnerabilities, but added that \u201cMicrosoft\u2019s messaging of this has been knowingly awful. Microsoft decided to downplay the importance of the patches and treat them as a standard monthly Exchange patch, which have been going on for \u2014 obviously \u2014 decades. You may remember how much negative publicity March\u2019s Exchange patches caused Microsoft, with headlines such as \u2018Microsoft emails hacked.\u2019\u201d<\/p>\n

Beaumont also noted that \u201cMicrosoft failed to allocate CVEs for these vulnerabilities until July \u2014 4 months after<\/em>\u00a0the patches were issued. Given many organizations vulnerability manage via CVE, it created a situation where Microsoft\u2019s customers were misinformed about the severity of one of the most critical enterprise security bugs of the year.\u201d<\/p>\n

The March Exchange patches Beaumont noted refer to similar attacks exploiting zero-day flaws folded under the umbrella of ProxyLogon.<\/p>\n

In a difficult year for cyber attacks, Microsoft’s ubiquitous presence has placed it at the center of a number of other security incidents and vulnerabilities<\/a>. At the same time, the software giant has been actively trying to improve security, even posting a string of impressive results in the difficult MITRE endpoint security testing<\/a>. And this week, Microsoft was at the center of a White House initiative to improve cybersecurity<\/a>, pledging $20 billion and training resources toward the effort.<\/p>\n

Exchange Under Attack<\/h2>\n

But thanks in part to Microsoft’s half-hearted warnings earlier this year, bad actors are once again taking a look at Microsoft Exchange after the Black Hat show and security researchers are seeing the results. John Hammond, senior security researcher with Huntress Labs, wrote in a blog post<\/a> that \u201cattackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year.\u201d<\/p>\n

In a tweet, Huntress CEO Kyle Hansloven noted that his company by Aug. 20 had seen more than 140 webshells across more than 1,900 unpatched servers over a two-day period, with the impacted organizations including building manufacturers, seafood processors and a small residential airport.<\/p>\n

\"proxyshell<\/p>\n

The revelation prompted Rob Joyce, director of cybersecurity at CISA, to tweet<\/a>, \u201cNew surge in Microsoft Exchange server exploitation underway. You must ensure that you are patched and monitoring if you are hosting an instance.\u201d<\/p>\n

Beaumont wrote that \u201cfor nearly a month, I have been watching mass in the wild exploitation of ProxyShell. … These\u00a0vulnerabilities are worse than ProxyLogon.\u201d<\/p>\n

Ransomware and ProxyShell<\/h2>\n

The Threat Hunter Team at Symantec in an updated blog post<\/a> wrote that a new ransomware<\/a> family called LockFile, which has been around since at least mid-July, appears to be attacking victims\u2019 networks by exploiting the Windows PetitPotam vulnerability, gaining access to the domain controller and then expanding from there across the network.<\/p>\n

They initially said it was unclear how the hackers were able to gain access into Microsoft Exchange Servers, but updated post to note what Beaumont had written about the ProxyShell exploits and said that could have been the way the LockFile attackers made their way in.<\/p>\n

In his blog post, Huntress\u2019 Hammond wrote that by working with Beaumont and security researcher Rich Warren, they had corroborated that the \u201cwebshell and LockFile ransomware incidents we\u2019re seeing within companies may be related.\u201d<\/p>\n

Unpatched Exchange Servers<\/h2>\n

A scan by search engine Shodan published Aug. 11 found that 18 percent of Exchange servers remain unpatched and that almost 40 percent are exposed to one of the vulnerabilities. Beaumont said he wrote a plugin that can identify unpatched systems and then worked with Shodan to put the detection plugin into their product.<\/p>\n

In addition, CERT in Austria also is using the scanning script to search for unpatched Exchange servers in that country.<\/p>\n

Jake Williams, co-founder and CTO of incident response specialist BreachQuest, told eSecurity Planet<\/em> that cybercriminals can attack a weakness quickly.<\/p>\n

\u201cThe speed with which threat actors weaponized the ProxyShell vulnerabilities highlights why having good threat intelligence is critical,\u201d Williams said. \u201cThis vulnerability was discussed openly and the consensus among researchers was that weaponization was imminent. Those orgs with that early warning were able to prioritize patching and should not be impacted.\u201d<\/p>\n

Assume Compromise<\/h2>\n

He noted that the CISA warning was timely but added that \u201cby the time there\u2019s a warning about active exploitation in the wild, any internet-facing assets have likely been compromised by threat actors. Organizations that haven\u2019t patched yet should be proceeding under the assumption they\u2019ve been compromised. Installing the patch now will prevent future exploitation, but any backdoors already deployed by threat actors will remain after the patch.\u201d<\/p>\n

In its advisory, Microsoft said the Exchange servers that are vulnerable to ProxyShell are those that don\u2019t have at least the CU with the SU from May.<\/p>\n

\u201cIn all of the above scenarios, you\u00a0must<\/em>\u00a0install one of latest supported CUs and all applicable SUs to be protected,\u201d the company wrote. \u201cAny Exchange servers that are not on a supported CU\u00a0and<\/em>\u00a0the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.\u201d<\/p>\n

Further reading: Top Vulnerability Management Tools<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n