[ad_1]
The US Agency for Cyber Security and Infrastructure Security (CISA) issued its first alert qualified as “urgent,” warning administrators to patch Microsoft Exchange servers on-premises for actively exploited ProxyShell vulnerabilities.
“Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207,” CISA warned over the weekend.
“CISA urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s security update from May 2021, which fixes the three vulnerabilities of ProxyShell, to protect against these attacks.
These three security holes (fixed in April and May) were discovered by the security researcher of Devcore Tsai Orange, who used them to compromise a Microsoft Exchange server during the April 2021 Pwn2Own hacking contest:
Actively exploited by multiple threat actors
The warning comes after similar warnings alerting organizations to defend their networks against the wave of attacks that hit tens of thousands of organizations around the world in March, with exploits targeting four zero-day Microsoft Exchange bugs known as ProxyLogon name.
Even though Microsoft fully fixed the ProxyShell bugs in May 2021, they did not assign CVE IDs for the three security vulnerabilities until July, preventing some organizations that had unpatched servers from discovering that they had problems. vulnerable systems on their networks.
After additional technical details were recently leaked, security researchers and threat actors were able to replicate a working ProxyShell exploit.
Then, as happened in March, attackers began to find and hack Microsoft Exchange servers using ProxyShell vulnerabilities.
After breaching unpatched Exchange servers, malicious actors abandon web shells that allow them to download and run malicious tools.
While the payloads were initially harmless, attackers began deploying LockFile ransomware payloads delivered to compromised Windows domains using Windows PetitPotam exploits.
So far, the American security firm Huntress Labs noted it has found more than 140 web shells deployed by attackers on more than 1,900 compromised Microsoft Exchange servers as of Friday.
Shodan also tracks tens of thousands of Exchange servers vulnerable to attack using ProxyShell exploits, most located in the United States and Germany.
Over 18% of Exchange servers are still not patched for the ProxyShell vulnerability. Almost 40% are vulnerable to CVE-2021-31206: https://t.co/7yetz9GoJw pic.twitter.com/0r2AOQsibB
– Shodan (@shodanhq) August 11, 2021
“A new wave of Microsoft Exchange server exploitation is underway,” said Rob Joyce, NSA cybersecurity director. warned during the weekend. “You need to make sure that you are patched and that you are monitoring if you are hosting an instance. “
The NSA has also reminded defenders this weekend that the guide published in March on web shell hunting is still applicable to these ongoing attacks.
Detailed information on how to identify Microsoft Exchange servers in need of ProxyShell patching and how to detect attempted exploitation can be found in the blog post posted by security researcher Kevin Beaumont.
[ad_2]
Source link