Versions of the software are influenced by a spate of bugs under active exploitations.
Microsoft has revealed its hush on the recent barrage of attacks on diverse ProxyShell vulnerabilities delineated by a Black Hat researcher starting this month.
The organization released an advisory late Wednesday letting clients know that threat actors may use unpatched Exchange servers “to expand ransomware or conduct other post-exploitation activities” and insisted they update instantly.
“Our advice, as always, is to install the most advanced CU and SU on all your Exchange servers to make sure that you are safe against the latest threats,” the enterprise said. “Please update now!”
Clients that have updated the May 2021 security updates or the July 2021 security updates on their Exchange servers are shielded from these vulnerabilities, as is Exchange Online clients, so long as they make sure that all hybrid Exchange servers are updated, the organization wrote.
“But if you failed to install one of these security updates, then your servers and vital information are vulnerable,” as per the advisory.
The ProxyShell intrudes that Devcore principal security researcher Orange Tsai described in a presentation at Black Hat. The three vulnerabilities enable an adversary to trigger remote code execution on Microsoft Exchange servers. Microsoft said the bugs stand a chance of exploitation in the following cases:
–The server is running an outdated, not assisted CU;
–The server is running security updates for outdated, unsupported versions of Exchange that were released in March 2021, or The server is running an outdated, unassisted CU, with the March 2021 EOMT mitigations applied.
“In all of the above circumstances, you must install one of the latest assisted CUs and all applicable SUs to be preserved,” according to Microsoft. “Any Exchange servers not on a supported CU sand the latest available SU are exposed to ProxyShell and other attacks that grasp older vulnerabilities.”
Sounding the Alarm
Following the SANS Internet Storm Center’s Jan, Kopriva reported finding more than 30,000 vulnerable Exchange servers through a Shodan scan. Given how much data is available, any threat actor valued of that title would find exploiting then easy to execute.
Security researchers at Huntress also complained seeing ProxyShell vulnerabilities being actively exploited throughout August to update backdoor access once the ProxyShell exploit code was released on Aug. 6. But commencing last Friday, Huntress reported a “surge” in attacks after discovering 140 web shells launched against 1,900 unpatched Exchange servers.
The Cybersecurity & Infrastructure Security Agency (CISA) sought those sounding the alarm over the weekend, issuing an urgent alert. They, too, urged organizations to install the latest Microsoft Security Update immediately.
At the time, researcher Kevin Beaumont manifested criticism over Microsoft’s messaging endeavors surrounding the vulnerability and the urgent need for its clients to update their Exchange Server security.
“Microsoft decided to downplay the significance of the patches and treat them as a standard monthly Exchange patch, which [has] been operated for – certainly – decades,” Beaumont described.
However, Beaumont said these remote code execution (RCE) vulnerabilities are “…as severe as they come.” Further, he noted that the enterprise did not help matters by failing to allocate CVEs for them until July — four months post the patches were updated.
According to Beaumont, considering the patching priority, the threats are CVE-2021–34473, CVE-2021–34523, and CVE-2021–31207.
CVE-2021-34473, a threat in which a pre-auth path confusion leads to ACL Bypass, was patched in April. CVE-2021-34523, also fixed in April, is an elevation of privilege on the Exchange PowerShell backend. Finally, CVE-2021-31207, a bug in which a post-auth Arbitrary-File-Write generates a remote code execution, was patched in May.
