Tens of thousands of global Microsoft Exchange servers could be at risk after threat actors began exploiting three so-called “ProxyShell” vulnerabilities.
The three bugs were discovered in the April Pwn2Own competition and patched by Microsoft in April and May. However, the tech giant only assigned CVEs to them in July, complicating efforts by some sysadmins to check if their systems were vulnerable.
In the meantime, threat actors managed to take publicly available information on the vulnerabilities and craft exploits for the three bugs.
Now the Cybersecurity and Infrastructure Security Agency (CISA) has urged vulnerable organizations to patch the flaws.
“Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,” it said.
“CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021 — which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”
Security experts have warned that threat actors actively scan for vulnerable servers to install web shells on, enabling further malicious activity. The situation calls to mind the four zero-day ProxyLogon bugs patched in March, which were exploited far and wide.
Huntress Lab said it had seen over 140 web shells installed across 1900+ unpatched servers in just 48 hours last week.
The bugs are apparently also being used in conjunction with the recently revealed PetitPotam vulnerability to deliver LockFile ransomware.
Symantec explained the threat in an updated blog post yesterday.