My TechDecisions

Compliance, IT Infrastructure, Network Security, News

CISA: Cybercriminals Targeting ProxyShell Flaws

The cybersecurity community and U.S. government is warning of active exploits targeting unpatched Microsoft Exchange servers.

Leave a Comment

Microsoft Defender Firewall, Intune
Dvoevnore /stock.adobe,com

System administrators and other IT professionals are urged to apply Microsoft’s May 2021 security updates as threat actors are actively exploiting a previous vulnerability in Microsoft Exchange Server.

The U.S. Cybersecurity and Infrastructure Security Agency said over the weekend that multiple threat actors are exploiting three ProxyShell Vulnerabilities, which could allow an attacker to install a backdoor to access systems, spy on organizations or deploy ransomware.

Related: 44 Vulnerabilities Addressed in Microsoft’s August Security Release

The three vulnerabilities are tracked as CVE-2021-34473CVE-2021-34523, and CVE-2021-31207, CISA said in the advisory. Specifically, the bugs allow an attacker to bypass security features, elevate privileges and perform remote code execution.

“An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”

Rob Joyce, director of cybersecurity for the National Security Agency, gave a similar warning via Twitter.

According to Bleeping Computer, the vulnerabilities were addressed in April and May after being discovered by a Devcore security researcher who demonstrated the flaws in an April Pwn2Own event.

Further, Microsoft didn’t assign CVE numbers for these vulnerabilities until July. That kept some organizations from realizing they had vulnerable systems, the website said.

Now, many exchange servers remain unpatched and vulnerable to these exploits, cybersecurity firm Huntress Labs  said in a blog post.

The company further said there were at least 100 incident reports related to these exploits over Aug. 17 and 18. Attackers are moving quickly, with more than 140 webshells deployed across 1,900 unpatched systems in a 48 hour span.

The firm said 1,764 servers remained unpatched as of Sunday night. Post-exploitation behavior now includes coinminers and ransomware, the company said in the blog.

Huntress Labs suggests installing the July 2021 updates. Read the company’s blog for more information.

Reader Interactions

Leave a Reply

Your email address will not be published.

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Harnessing the Power of Digital Signage
Harnessing the Power of Digital Signage

Choosing the best solutions for messaging, branding, and communicating in today’s content-everywhere landscape

Blueprint Series Cover: What works for hybrid work
Blueprint Series: What Works for Hybrid Work

Download this free resource to learn about how IT leaders can effectively manage and implement a hybrid work model.

Guide to creating a ransomware response plan download
Blueprint Series: Creating a Ransomware Response Plan

Chances are ransomware hackers are researching your company right now. They’re investing time and money to choose the most profitable targets and a...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ