CISA: ProxyShell flaws being actively exploited, patch now

Security researchers weighed in with evidence of ProxyShell exploitation by threat actors using malicious web shells and a new ransomware variant called 'LockFile.'

Nearly three weeks after the vulnerability set gained greater prominence at the Black Hat 2021 conference, the ProxyShell flaws are now being actively exploited by threat actors, according to an urgent CISA advisory published Saturday.

ProxyShell refers to three vulnerabilities that enable remote code execution on Microsoft Exchange servers: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. The set shares a prefix with ProxyLogon, another series of severe Exchange Server vulnerabilities that were disclosed in March.

Though all three of its vulnerabilities were patched by May, ProxyShell only gained prominence during an Aug. 5 Black Hat session, when a Devcore researcher known as "Orange Tsai" showcased the flaws and put a spotlight on Microsoft Exchange Server security issues.

The advisory by the Cybersecurity and Infrastructure Security Agency (CISA), though only a paragraph long, is tagged "urgent."

"An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine," the advisory reads. "CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021 -- which remediates all three ProxyShell vulnerabilities -- to protect against these attacks."

CVE-2021-34473 is a critical remote code execution vulnerability with a CVSS score of 9.8; CVE-2021-34523 is a critical escalation of privilege vulnerability with a CVSS score of 9.8; and CVE-2021-31207 is a high severity security feature bypass vulnerability with a CVSS score of 7.2. All three flaws are intended to work in tandem.

A Microsoft spokesperson shared the following statement with SearchSecurity: "Customers who have applied the latest updates are already protected against these vulnerabilities."

UPDATE 8/23: Following the publication of this article, a Microsoft spokesperson sent an updated statement to SearchSecurity. "We released security updates to help keep our customers safe and protected against this attack technique," the spokesperson said. "We recommend that customers adopt a strategy to ensure they are running supported versions of software and promptly install security updates as soon as possible after each monthly security release."

Other researchers have weighed in with more specific exploitation details. Huntress CEO Kyle Hanslovan tweeted Friday that the vendor had seen "140+ web shells across 1900+ unpatched boxes in 48 hrs" and that impacted organizations include "building [manufacturers], seafood processors, industrial machinery, auto repair shops, a small residential airport and more."

NSA cybersecurity director Rob Joyce retweeted Hanslovan's tweet and urged those vulnerable to monitor and patch their servers.

Security researcher Kevin Beaumont published an article on his Medium site DoublePulsar on Saturday calling ProxyShell "worse than ProxyLogon" and "more exploitable." Notably, the article detailed Beaumont's personal honeypot detecting a new variant of ransomware known as "LockFile" that utilized ProxyShell.

In addition, he called Microsoft's messaging of ProxyShell "knowingly awful."

"Microsoft decided to downplay the importance of the patches and treat them as a standard monthly Exchange patch, which have been going on for -- obviously -- decades," Beaumont wrote. "You may remember how much negative publicity March's Exchange patches caused Microsoft, with headlines such as 'Microsoft emails hacked.'"

Beaumont criticized Microsoft because despite patching the ProxyShell flaws in April and May, two of the three -- CVE-2021-34473 and CVE-34523 -- weren't disclosed until July. "Given many organizations vulnerability manage via CVE," he wrote, "it created a situation where Microsoft's customers were misinformed about the severity of one of the most critical enterprise security bugs of the year."

A recent Shodan scan of nearly 240,000 internet-facing Microsoft Exchange servers showed that nearly 50,000 were still vulnerable to the ProxyShell flaws. ProxyLogon had similar patch-related issues.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Bugs aplenty as VMware, Cisco and F5 drop security updates

ProxyShell attacks ramping up on unpatched Exchange Servers

Dig Deeper on Application and platform security