System administrators and other IT professionals are urged to apply Microsoft’s May 2021 security updates as threat actors are actively exploiting a previous vulnerability in Microsoft Exchange Server.
The U.S. Cybersecurity and Infrastructure Security Agency said over the weekend that multiple threat actors are exploiting three ProxyShell Vulnerabilities, which could allow an attacker to install a backdoor to access systems, spy on organizations or deploy ransomware.
The three vulnerabilities are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, CISA said in the advisory. Specifically, the bugs allow an attacker to bypass security features, elevate privileges and perform remote code execution.
“An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”
Rob Joyce, director of cybersecurity for the National Security Agency, gave a similar warning via Twitter.
New surge in Microsoft Exchange server exploitation underway. You Must ensure you are patched and monitoring if you are hosting an instance. https://t.co/HzqlQxvSZC
— Rob Joyce (@NSA_CSDirector) August 21, 2021
According to Bleeping Computer, the vulnerabilities were addressed in April and May after being discovered by a Devcore security researcher who demonstrated the flaws in an April Pwn2Own event.
Further, Microsoft didn’t assign CVE numbers for these vulnerabilities until July. That kept some organizations from realizing they had vulnerable systems, the website said.
Now, many exchange servers remain unpatched and vulnerable to these exploits, cybersecurity firm Huntress Labs said in a blog post.
The company further said there were at least 100 incident reports related to these exploits over Aug. 17 and 18. Attackers are moving quickly, with more than 140 webshells deployed across 1,900 unpatched systems in a 48 hour span.
The firm said 1,764 servers remained unpatched as of Sunday night. Post-exploitation behavior now includes coinminers and ransomware, the company said in the blog.
Huntress Labs suggests installing the July 2021 updates. Read the company’s blog for more information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!