UPDATE: Sept. 7, 2021: Conti affiliates are using ProxyShell exploits to target organizations during ransomware attacks, according to Sophos research.
ProxyShell evolved from earlier ProxyLogon attacks and has been observed in recent ransomware attacks, including those used during deployment of the LockFile ransomware, according to Sophos. In the ransomware attacks, dwell times accelerated from what previously took weeks to hours or even faster.
Meanwhile, researchers at Mandiant responded to ProxyShell exploitation activity, linked to threat actor UNC2980, involving a U.S.-based university in August, according to a blog posted on Friday. The threat actor was observed exploiting CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 to upload webshells.
UPDATE: Aug. 26, 2021: Microsoft updated its Exchange server guidance, urging users to install the latest security updates. Customers are protected if they have installed either the May 2021 or the July 2021 updates, Microsoft said.
Huntress, with the help of security researcher Florian Roth, found evidence of configuration file modification before August in some of the hidden webshells in Exchange. Those modifications predate the previous ProxyShell timeline, Huntress said.
Months after a nation-state linked campaign against Microsoft Exchange led to malicious exploits against tens of thousands of devices, threat actors are exploiting vulnerabilities known as ProxyShell, in order to install backdoors and enable remote code execution on vulnerable machines, researchers found.
Malicious cyber actors are actively exploiting three vulnerabilities, CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, the Cybersecurity and Infrastructure Security Agency said Saturday. CISA urged organizations to identify vulnerable systems and immediately apply a Microsoft security update from May 2021.
Huntress Labs data shows the number of unpatched and vulnerable servers has dropped from about 1,900 over the weekend to about 1,764. But the number of compromised servers and incident reports has risen from about 100 to 300, according to John Hammond, senior security researcher at Huntress. Coinciding with the attack, the security firm is now seeing crypto mining activity dubbed WannaMine and ransomware activity from a new group identified as LockFile.
At the BlackHat 2021 conference earlier this month, Orange Tsai, principal security researcher at DevCore, highlighted the new attack surface on Microsoft Exchange. Eight vulnerabilities, dating back to January of this year, were linked to the new attack surface on Microsoft Exchange and chained into three attacks: ProxyLogon, ProxyOracle and ProxyShell.
ProxyLogon was first disclosed on March 2 and is linked to the Hafnium campaign associated with the attacks against Microsoft Exchange.
The new ProxyShell attacks should not be confused with the ProxyLogon attacks seen during March, Hammond said. However, a similar indicator of compromise occurs in the presence of a malicious .ASPX webshell in the Exchange server’s public web directory.
"Mandiant has recently observed ProxyShell exploitation across a range of customers and industries," Stuart McKenzie, senior vice president, Mandiant Consulting, EMEA, said via email. "In particular, it is being used by attackers to create webshells on vulnerable systems."
A number of security researchers have developed and released proof of concept code, McKenzie said. That has made it even more difficult to attribute the ProxyShell activity to any one group of threat actors.
"This means that any group could be leveraging the exploit and organizations who have not patched are vulnerable to attack," McKenzie said. "The patch rates of ProxyShell are low and we would urge companies to apply patches as quickly as possible."
Microsoft officials urged customers to apply security updates released following the Hafnium attacks.
"We released security updates to help keep our customers safe and protected against this attack technique," Microsoft told Cybersecurity Dive via email. "We recommend that customers adopt a strategy to ensure they are running supported versions of software and promptly install security updates as soon as possible after each monthly security release."