Microsoft has issued a security alert, warning its customers of the actively exploited ProxyShell vulnerabilities affecting multiple on-premises Microsoft Exchange versions.
“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities,” the Microsoft Exchange team wrote in a recent blog post.
“If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities. Exchange Online customers are also protected (but must make sure that all hybrid Exchange servers are updated).”
“But if you have not installed either of these security updates, then your servers and data are vulnerable. As we have said several times, it is critical to keep your Exchange servers updated with latest available Cumulative Update (CU) and Security Update (SU).”
The vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), collectively known as ProxyShell, allow attackers to elevate privileges on the Exchange PowerShell backend and perform unauthenticated, remote code execution.
Earlier this month, researchers at Huntress Labs warned of multiple attacks targeting unpatched Microsoft Exchange servers. They said that at least five distinct styles of webshells were observed being deployed to vulnerable Microsoft Exchange servers, with over 100 incidents related to the exploit reported in just two days – between August 17 and 18. According to the researchers, attackers use the ProxyShell exploit to install a backdoor for later access and post-exploitation.
“Our recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats. Please update now!,” Microsoft said.