Browse Definitions :

Askhat - stock.adobe.com

Everything you need to know about ProxyShell vulnerabilities

Organizations need to patch their Exchange Servers to protect against the ProxyShell exploit. Learn how to do that and more here.

ProxyShell is an attack chain that exploits three known vulnerabilities in Microsoft Exchange: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. By exploiting these vulnerabilities, attackers can perform remote code execution.

Microsoft has classified the ProxyShell vulnerabilities as critical, just as they do for any vulnerability that enables remote code execution. However, ProxyShell is especially critical for two reasons:

  1. Unlike some of the other remote code execution vulnerabilities discovered in Microsoft products over the years, ProxyShell is relatively easy to exploit.
  2. Security researchers discussed the exploit in detail at the 2021 Black Hat USA conference. This led to the exploit becoming well known in the hacker community.

There was an initial wave of attacks against Exchange Servers soon after details about ProxyShell became public. But even today, hackers are actively exploiting the ProxyShell vulnerabilities.

There are two main things that security researchers have observed hackers doing to affected systems.

1. Hackers create web shells

A web shell is essentially a command line interface that can be used to attack a vulnerable system. The ProxyShell exploits enable remote PowerShell sessions to be established with vulnerable Exchange Servers. There are several ways that attackers have used PowerShell to create web shells.

One of the best-known web shell exploits involves an attacker creating a draft e-mail message within an Exchange mailbox. This draft message contains a special attachment -- a file with an ASPX extension. Once this email message is created, the attacker uses the New-MailboxExportRequest cmdlet to export the mailbox contents to a PST file. This export process causes the message attachment to be decoded, allowing the attachment to be executed.

2. Hackers use ProxyShell as a tool to plant ransomware

In August and September 2021, there were a number of documented instances of attackers using the ProxyShell vulnerabilities to plant LockFile ransomware on unpatched Microsoft Exchange systems.  More recently, Babuk ransomware has been showing up on unpatched Exchange Servers. Squirrelwaffle has also been exploiting ProxyShell. Squirrelwaffle is malware that formulates malicious responses to legitimate email chains.

The most important thing to keep in mind about these types of ransomware and malware attacks is that they are not caused by a user who accidentally clicks on something that they shouldn't. Hackers are actively looking for unpatched Exchange Servers and planting malware and ransomware on those servers.

Learn about the decryptors Avast developed to recover data from LockFile, Babuk and AtomSilo ransomware variants.

Businesses affected

As of August 2021, more than 1,900 Exchange Servers were known to have been hacked. The types of organizations affected by ProxyShell attacks include building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more, according to a tweet from Kyle Hanslovan, CEO of Huntress Labs.

How to protect against ProxyShell vulnerabilities

The first thing that organizations need to do to protect themselves from ProxyShell vulnerabilities is patch their on-premises Microsoft Exchange Servers. Specifically, organizations need to deploy the latest cumulative update, plus either the May 2021 security updates or the July 2021 security updates. The cumulative update and the security update are both necessary to be protected. Exchange Server versions older than Exchange 2013 could be vulnerable regardless of whether or not they are patched.

In addition to patching any on-premises Exchange Servers, organizations also need to perform a comprehensive malware scan and security scan to determine if Exchange Servers have already been compromised. If an attacker has installed a web shell onto an Exchange Server, threat actors may be able to use that web shell to access systems even after they are patched.

Next Steps

ProxyShell leads to domain-wide ransomware attack

Dig Deeper on Security

Networking
  • network management system

    A network management system, or NMS, is an application or set of applications that lets network engineers manage a network's ...

  • host (in computing)

    A host is a computer or other device that communicates with other hosts on a network.

  • Network as a Service (NaaS)

    Network as a service, or NaaS, is a business model for delivering enterprise WAN services virtually on a subscription basis.

Security
  • WebAuthn API

    The Web Authentication API (WebAuthn API) is a credential management application program interface (API) that lets web ...

  • Common Vulnerability Scoring System (CVSS)

    The Common Vulnerability Scoring System (CVSS) is a public framework for rating the severity of security vulnerabilities in ...

  • Dridex malware

    Dridex is a form of malware that targets victims' banking information, with the main goal of stealing online account credentials ...

CIO
  • audit program (audit plan)

    An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate ...

  • blockchain decentralization

    Decentralization is the distribution of functions, control and information instead of being centralized in a single entity.

  • outsourcing

    Outsourcing is a business practice in which a company hires a third party to perform tasks, handle operations or provide services...

HRSoftware
  • team collaboration

    Team collaboration is a communication and project management approach that emphasizes teamwork, innovative thinking and equal ...

  • employee self-service (ESS)

    Employee self-service (ESS) is a widely used human resources technology that enables employees to perform many job-related ...

  • learning experience platform (LXP)

    A learning experience platform (LXP) is an AI-driven peer learning experience platform delivered using software as a service (...

Customer Experience
  • B2C (business-to-consumer)

    B2C, or business-to-consumer, is a retail model where products or services move directly from a business to the end user who has ...

  • market segmentation

    Market segmentation is a marketing strategy that uses well-defined criteria to divide a brand's total addressable market share ...

  • sales pipeline

    A sales pipeline is a visual representation of sales prospects and where they are in the purchasing process.

Close