Web Shells and Ransomware transmitted exploiting ProxyShell Vulnerabilities

Garima Kejriwal

August 23, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) has recently warned that various attackers use three so-called “ProxyShell” vulnerabilities to compromise Microsoft Exchange Servers worldwide. They were discovered and demonstrated by Orange Tsai and his fellow research colleagues from DEVCORE Research Team at the Pwn2Own contest and also mentioned at the Black Hat and DEF CON conferences earlier this month. The vulnerabilities are CVE-2021-344473, CVE-2021-34523 and CVE-2021-31207. They set an exploit chain that helps to gain access to the network. They seem more dangerous than ProxyLogon flaws as they are pre-authenticated remote code execution vulnerabilities. They are harmful and more exploitative. Unlike ProxyLogon attacks, where the attacker needed to know an Exchange administrator mailbox, they don’t apply here. It bypasses that step eliminating the need to know the identity of an Exchange administrator in advance. Even though Microsoft patched the vulnerabilities in April-May 2021, they failed to assign CVEs to promote the fact they could lead to severe problems. While many security researchers are shedding light on this incident, many enterprise administrators are yet to update on-premise Microsoft Exchange servers to protect them against exploitation. They are urging them to implement the needed patches to prevent further trouble. And those who have yet to patch the flaws are highly recommended to check whether attackers have already popped their machines.

Abridged fromHelp Net Security