Threat actors are actively exploiting Microsoft Exchange – ProxyShell Flaw to exploit and hack over 1900 servers.
The US Cybersecurity and Infrastructure Security Agency issued a warning about the latest Microsoft Exchange flaw. Microsoft had earlier patched the ProxyShell vulnerabilities earlier in May, this also included deploying LockFile ransomware on compromised systems.
The vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 enables threat actors to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. Earlier on April 13, Microsoft has patched CVE-2021-34473, CVE-2021-34523 vulnerabilities, while the CVE-2021-31207 was shipped as part of the Windows maker’s May Patch Tuesday updates.
According to CISA, “An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine.”
The warning comes a week after Cybersecurity researchers discovered the suspicious activity of scanning and exploitation of unpatched Exchange servers by leveraging the ProxyShell attack chain. Earlier this year in April, similar exploitation was demonstrated at the Pwn2Own hacking contest.
Huntress Labs CEO Kyle Hanslovan tweeted about more than 140 web shells detected and nearly 1900 unpatched Exchange servers to date. He further added, “impacted [organizations] thus far include building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more.”
Keep your Exchange servers safe this weekend. @HuntressLabs has seen 140+ webshells across 1900+ unpatched boxes in 48hrs. Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport and more. #ProxyShell pic.twitter.com/clhQ0E5rnR
— Kyle Hanslovan (@KyleHanslovan) August 20, 2021