The US Agency for Security and Cybersecurity and Infrastructure Security warns of attempts at active exploitation that take advantage of the latest line of “ProxyShell“Microsoft Exchange vulnerabilities that were patched in early May, including the deployment of LockFile ransomware on compromised systems.
Followed as CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, vulnerabilities allow opponents to bypass ACL controls, elevate privileges to the backend of the Exchange PowerShell, effectively allowing the attacker to perform a unauthenticated remote execution of code. While the first two were addressed by Microsoft on April 13, a patch was sent for CVE-2021-31207 as part of the Windows manufacturer May May Patch updates.
“An attacker who exploits these vulnerabilities could execute arbitrary code on a vulnerable machine,” CISA said.
The development comes just over a week after cybersecurity researchers sounded the alarm over the opportunistic exploration and exploitation of Exchange servers without hitting by leveraging the ProxyShell attack chain.
Originally demonstrated in the Pwn2Own piracy contest in April this year, ProxyShell is part of a wider trio of operating chains discovered by security researcher DEVCORE Orange Tsai that includes ProxyLogon and ProxyOracle, the latter of which refers to two remote code execution faults recovering a user’s password in plain text format.
“They are backdoor boxes with webshells that launch other webshells and also executables that call periodically,” said researcher Kevin Beaumont pointed out last week.
Now, according to Huntress Labs researchers, at least five different styles of web shell deployed on vulnerable Microsoft Exchange servers have been observed, with more than 100 incidents related to exploitation between 17 and 18 d ‘August. to compromised servers, but it is not clear what the goals are or to what extent all defects were used.
So far, more than 140 web interpreters have been detected on a maximum of 1,900 patchless exchange servers, according to Huntress Labs CEO Kyle Hanslovan. he tweeted, adding “impacted [organizations] so far they include building manufacturing, seafood processors, industrial machinery, car repair shops, a small residential airport and more. “