Microsoft Exchange servers, the core through which millions of corporate emails circulate, have been attacked through ProxyShell.
ProxyShell consists of a group of three security flaws that can be used to take control of Microsoft Exchange mail servers. These flaws are being reported through the following CVEs:
- CVE-2021-34473, provides a mechanism for remote pre-authentication code execution, allowing malicious entities access to the affected system
- CVE-2021-34523, allows malicious actors to execute arbitrary post-authentication code on Microsoft Exchange servers due to a PowerShell service flaw when validating access tokens.
- CVE-2021-31207, allows malicious actors to execute arbitrary code post-authentication in the SYSTEM context and write files arbitrarily.
Putting numbers to the situation, a scan conducted in early August by ISC SANS, two days before the publication of the proof-of-concept (PoC, Proof of Concept), it was found that more than 30.000 Exchange servers, out of a total of 100.000 still had pending patching.
The initial exploitation has occurred on more than 1.900 Devices. To make matters worse, a user on a Russian cybercrime forum has published the list of 100.000 Exchange servers accessible via the internet, thus facilitating attack possibilities on third-party entities.
The recommendations include updating to the latest version, monitoring indicators of compromise (IoC) and stay alert to new information that is being published about vulnerabilities
Image: Pixabay
Fountain: The Record