A former Microsoft security researcher is sounding the alarm that multiple threat actors, including at least one ransomware group, have been mass exploiting ProxyShell vulnerabilities on Microsoft Exchange servers over the past month.
ProxyShell is composed of three distinct vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that were originally discovered in April by Cheng-Da Tsai, a security consultant for DevCore. When chained together, the three flaws allow an attacker to gain administrator level, unauthenticated remote code execution privileges for Microsoft Exchange servers.
Kevin Beaumont, a security researcher who previously worked as a senior threat intelligence for Microsoft, said that he is now seeing “mass in the wild exploitation of ProxyShell” by multiple threat actors and expressed alarm at how many organizations in the public and private sector are currently exposed.
“These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March — they are more exploitable, and organisations largely haven’t patched,” Beaumont wrote Aug. 21 on his security blog, DoublePulsar.
That includes government agencies. Beaumont said there are currently “hundreds of directly exploitable, internet facing systems with .gov SSL certificate hostnames within the U.S.” The same day he posted his blog, the Cybersecurity and Infrastructure Security Agency pushed out its own alert urging Microsoft Exchange users to take the bugs seriously. CISA has not issued any operational or emergency directives to federal agencies, usually a sign that the federal government is broadly at risk.
“CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks,” the agency warned.
Some of the malicious hackers are using U.S. internet service providers and mimicking successful tactics carried out by Hafnium, one of the original groups found to be exploiting a separate set of Microsoft Exchange Server vulnerabilities in March and that U.S. and UK cybersecurity officials say str linked to the Chinese government.
A honeypot set up by Beaumont began picking up evidence of exploitation from an IP address last week. That wound up matching an address detailed in a separate Symantec report of an actor exploiting unknown “access to victims’ network via Microsoft Exchange Servers” to deploy LockFile ransomware. Beaumont’s honeypot saw the same actor return days later to stage LockFile artifacts, and it appears the unknown vulnerabilities they were exploiting was in fact ProxyShell.
Threat intelligence firm Huntress said on Aug. 21 that they have observed at least five distinct styles of webshells hit Exchange servers in the Month of August and identified at least 1900 vulnerable servers and identified at least 164 exploited servers in the past four days. By Saturday less than 150 servers were patched, something senior security researcher John Hammond noted was “fairly concerning since we are starting to see active post-exploitation behavior that includes coinminers and ransomware.”
Microsoft response criticized
Beaumont, who left Microsoft in April 2021, was sharply critical of the way his former employer has handled remediation and communication with its customers around ProxyShell. He claims the company has thus far failed to treat ProxyShell with the same urgency they brought to earlier Exchange vulnerabilities like ProxyLogon, where they issued blogs, remediation scripts and threat intelligence research in the wake of disclosure.
While patches were issued in April and May to fix the problem, Microsoft rolled them into their monthly Exchange updates, something Beaumont said “downplayed” their importance to customers and the public. As a result, many Microsoft Exchange customers may not have been sufficiently alerted to a dangerous, high-profile security weakness that is being actively exploited in the wild.
In addition, Microsoft didn’t move to create standalone CVEs until July 2021, months after they knew of the vulnerabilities. Beaumont surmised that Microsoft’s muted reaction could stem from a desire to avoid the kind of negative press they received after previous Exchange vulnerabilities were reported. The company also doesn’t include on-premise Exchange servers in scope for its bug bounty programs, so researchers who find even serious flaws are not able to receive compensation.
In an Aug. 18 post on Zero Day Initiative, Tsai included a screenshot of a statement from Microsoft explaining the CVE delay, saying they were “inadvertently omitted” from the April 2021 updates.
In response to a request for comment, a Microsoft spokesperson said the company releases updates and fixes on a monthly schedule and took “unprecedented steps in March to help Exchange On-Premises customers running very old versions get updated to supported CUs so that installing new security updates going forward will become a more routine process.”
“We released security updates to help keep our customers safe and protected against this attack technique,” a Microsoft spokesperson told SC Media in an email. “We recommend that customers adopt a strategy to ensure they are running supported versions of software and promptly install security updates as soon as possible after each monthly security release.”
The lack of resources developed by Microsoft have largely left the burden of informing the public, urging patching and developing broader detection rules to outside researchers like Beaumont and Tsai. Beaumont wrote an Nmap plugin to scan for unpatched systems and worked to incorporate it into Shodan’s detection engine. Cybersecurity insurers like Coalition have said they are using detection tools developed from previous Exchange vulnerabilities to inform and notify vulnerable policyholders.
Tsai noted that even with the authentication issues patched, Microsoft Exchange servers remain “a treasure waiting for you to find bugs” and predicted that we will only see more damaging vulnerabilities discovered in the future.
“For the system administrators, since it’s an architecture problem, it’s hard to mitigate the attack surface with one single action,” Tsai noted. “All you can do is keep your Exchange Server up-to-date and limit its external Internet exposure.”