ProxyShell attacks ramping up on unpatched Exchange Servers

Security experts say active attacks on the series of Microsoft Exchange Server flaws, which can be chained to take control of servers, are already being launched in the wild.

A set of vulnerabilities in Microsoft Exchange Server are under active attack, and administrators are advised to respond immediately.

Multiple threat researchers and security vendors have reported active attacks on the three security vulnerabilities referred to as "ProxyShell." The vulnerabilities include CVE-2021-34473, a remote code execution bug; CVE-2021-34523, an elevation of privilege bug; and CVE-2021-31207, a security bypass flaw. The latter two vulnerabilities on their own are not considered serious threats, but when combined with the first, they are a considerable security risk.

The vulnerabilities were patched in August, but because many systems, servers in particular, often take months to patch, getting the vulnerability closed up is an ongoing problem for some organizations. Researchers with Sophos and Mandiant recently spotted attacks in the wild using the three bugs in combination to attack on-premises Exchange Server installations.

According to Mandiant researchers, the flaws are being exploited in chain by first abusing CVE-2021-34473 to bypass user authentication, then combining it with the privilege escalation flaws to create a sequence where the unauthenticated attacker is able to trigger remote administrator access on a vulnerable server.

These flaws have become so easy to chain together that malware crews have used the scripted exploits with their existing malware installation chains.

"This chain of vulnerabilities exists in unpatched on-premises editions of Microsoft Exchange Server only and is being actively exploited on those servers accessible on the Internet," Mandiant researchers wrote in a blog post Friday. "Mandiant responded to multiple intrusions impacting a wide variety of industries including Education, Government, Business services, and Telecommunications. These organizations are based in the United States, Europe, and Middle East. However, targeting is almost certainly broader than directly observed."

In practice, this means attackers are able to create remote tunnels that allow for web shell interfaces, or command lines that give complete control of a system. According to Sophos, these tactics have not only been adopted, but have become old hand to prolific ransomware crews such as the Conti gang, who have an established attack network in place.

"As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours," Sophos researchers wrote in a blog post Friday. "In the case of one of the group of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target's network and set up a remote web shell in under a minute."

Next Steps

ProxyShell vs. ProxyLogon: What's the difference?

Dig Deeper on Application and platform security

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing