Blog
Ransomware

ProxyShell: the latest critical threat to unpatched Exchange servers

Tom Priest
Published 
Wednesday
 
25
 
August 2021
RSSLinkedIn
Threat actors are actively deploying a new attack chain against Microsoft Exchange

A new series of vulnerabilities in Microsoft Exchange Server were announced in early August 2021, which allow an unauthenticated threat actor to perform remote code execution. Threat actors including ransomware groups have already started to scan and exploit vulnerable servers using the ProxyShell attack chain. In this article, we discuss the threats posed by these recently disclosed vulnerabilities, and offer guidance on how to address them.

New critical vulnerabilities

A presentation delivered at the Black Hat 2021 USA conference on 5 August 2021 by the DEVCORE security researcher, Orange Tsai, disclosed the technical details of an attack chain comprised of three new Microsoft Exchange Server vulnerabilities in on-premise Exchange versions 2013, 2016 and 2019. This attack chain has been dubbed ProxyShell and, when successfully exploited, provides a threat actor with highly privileged access to a victim’s mail server.

The three vulnerabilities have been assigned the CVE ID numbers CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. The most severe of these vulnerabilities, CVE-2021-34473, has been assigned a critical rating score of 9.8 by the National Institute of Standards and Technology (NIST). Although disclosed publicly in July, both CVE-2021-34473 and CVE-2021-34523 were silently patched in April in Microsoft’s Exchange KB5001779 cumulative update. The third vulnerability, CVE-2021-31207, was patched in Microsoft’s Exchange KB5003435 cumulative update in May.

Thousands of systems remain unpatched

Microsoft Exchange servers with the latest patches are protected from ProxyShell attacks, so organisations that regularly patch their systems are likely to have addressed the threat. However, research suggests that of the estimated 400,000 Exchange servers exposed to the internet, over 30,000 are yet to be patched and are therefore still vulnerable to this new attack chain. The countries with the highest number of publicly accessible Exchange servers vulnerable to ProxyShell include the United States, Germany, and the United Kingdom.

The countries with the largest count of vulnerable servers. Additional countries are shown in the source chart.

Following the Black Hat presentation, threat actors have begun actively scanning the internet for unpatched Exchange servers to attempt to exploit the vulnerabilities.

The ProxyShell attack chain

Similar to the ProxyLogon attack chain that was widely exploited in early March, when combined into an attack chain the three new vulnerabilities provide a remote, unauthenticated threat actor with unfettered access to vulnerable Exchange servers. The first vulnerability, CVE-2021-34473, is a pre-authentication path confusion bug which leads to an Access Control List (ACL) bypass. If successfully exploited, the second stage targets CVE-2021-34523, which involves the elevation of privileges on the Exchange PowerShell backend. The final stage of the attack chain exploits the vulnerability, CVE-2021-31207, in which a threat actor is able to write arbitrary files to the system ultimately leading to remote control execution (RCE).

Why is Exchange under such frequent attack?

Due to their popularity as well as the highly sensitive and confidential information often held on Microsoft Exchange email servers, they are a high-value target for both profit-driven cybercriminals and state-sponsored threat actors. It is therefore no surprise that Exchange is being targeted repeatedly. Since the beginning of 2021, there have been three series of vulnerabilities in Microsoft Exchange that were discovered by the DEVCORE research team. ProxyOracle, first reported to Microsoft in January, allows a threat actor to recover the plaintext credentials of any Exchange user. ProxyShell and another widely-exploited vulnerability, ProxyLogon, allow threat actors to write arbitrary files to internet-facing Exchange servers to obtain highly-privileged, remote access. All three Proxy attack chains exploit flaws in Client Access Services (CAS), a fundamental component of Microsoft Exchange.

In the latest versions of on-premise Exchange, the Client Access Services component acts like an HTTP proxy controlling connections from the frontend services to the backend services on the mail server. As demonstrated during the ProxyLogon attacks, vulnerabilities in this architecture can be critical and give threat actors opportunities to leverage their access in a number of ways, from mounting ransomware attacks to mining cryptocurrency. In fact, in late August 2021, security researchers released reports of threat actors exploiting the ProxyShell vulnerabilities to deliver a new variant of the LockFile ransomware.

The series of vulnerabilities in the Proxy attack chains are logic bugs, so don’t rely on the modification of application memory on the Exchange server. They are therefore easier for threat actors to successfully reproduce than attacks relying on memory corruption bugs. Unlike ProxyLogon, there is currently no publicly-available proof of concept code allowing widespread exploitation from threat actors of all skill levels. However, a few days following the Black Hat presentation, a team of security researchers published a technical write-up successfully reproducing ProxyShell, suggesting that it is well within the reach of more skilled attackers.

The architecture of Microsoft Exchange from Microsoft Docs.

Our recommendations

Organisations that have applied the latest Exchange cumulative updates are protected against the ProxyShell attack chain, so the attacks should not be as widespread as those related to ProxyLogon (an investigation of which is highlighted in one of our previous blog posts). However, the rapid emergence of a new Exchange Server attack chain again highlights the importance of regularly updating and patching servers.

We recommend that the build number and software version of all Exchange servers should be checked against the major releases published by Microsoft. The Exchange server version and build number can be identified using Microsoft’s HealthChecker script or by running the following command in the Exchange Management shell: Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion.

Where possible, organisations can better protect on-premises Exchange servers against the initial stages of the Proxy attack chains by placing them behind a VPN concentrator or implementing a strict access control list (ACL).

Find out more

If you are currently experiencing a cyber attack, please request emergency assistance immediately.

To find out more about any of our services, please contact us. To start a conversation or report any errors or omissions, please feel free to contact the author directly.

Tom Priest
envelope by Bluetip Design from the Noun Project
Tom is a cyber security analyst at Asceris specialising in incident response, network forensics, business email compromise investigations and ransomware investigations.

About Asceris

Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.

Other recent insights