Threat Signal Report

Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell

Description

FortiGuard Labs is aware of a report that Microsoft Exchange servers are actively being scanned to determine which ones are prone to ProxyShell. ProxyShell is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. When used in chain on a vulnerable Microsoft Exchange server, the attack allows the attacker to remotely run malicious code on the targeted system as a result. Microsoft patched all three vulnerabilities as part of Microsoft Patch Tuesday in April and May 2021.


When was the Issue Disclosed?

Security researcher Orange Tsai presented ProxyShell at the recent BlackHat, DefFon and the Pwn2Own contest.


Were CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 Disclosed as Part of the ProxyShell presentation?

No, Microsoft disclosed CVE-2021-31207 in May and CVE-2021-34473 and CVE-2021-34523 in July as part of Patch Tuesday.


How Significant is ProxyShell?

MEDIUM-HIGH. While ProxyShell allows remote code execution on the compromised machine, patches are available for all three vulnerabilities, which lower the severity. According to security researcher Kevin Beaumont in relation to CVE-2021-34473, "about 50% of internet exposed boxes aren't patched yet," which somewhat raises severity.


What is the Workflow of ProxyShell?

In simple workflow, the attacker first exploits CVE-2021-34473 (Microsoft Exchange Server Remote Code Execution Vulnerability) on the vulnerable Microsoft Exchange server to gain Exchange backend access. Then CVE-2021-34523 (Microsoft Exchange Server Elevation of Privilege Vulnerability) is used to gain admin privilege, then CVE-2021-31207 (Microsoft Exchange Server Security Feature Bypass Vulnerability) is used to perform remote code execution.


Has Microsoft released a patch for the vulnerabilities?

Yes. Microsoft released a patch for CVE-2021-31207 in May.

While CVE-2021-34473 and CVE-2021-34523 were disclosed in July 2021, Microsoft released a patch in April 2021 without disclosing them.


Has any Malware been Deployed as a Result of the ProxyShell Exploit Attack Chain?

FortiGuard Labs is not aware of any malware being deployed to the affected servers. However, earlier in the year, DearCry ransomware was delivered to the machines that were compromised using another Microsoft Exchange server exploit chain "ProxyLogon". As such, ransomware payload off ProxyShell is always a possibility.

FortiGuard Labs is closely monitoring the situation and will update this Threat Signal when actual payload becomes available.


What is the Status of Coverage?

FortiGuard Labs provides the following IPS coverage against CVE-2021-34473:


MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution


FortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge or special configuration beforehand.

Currently, there is not enough information available for us to develop protection for CVE-2021-31207 and CVE-2021-34523. FortiGuard Labs is closely monitoring the situation and will update this Threat Signal when additional coverage becomes available.


Any Other Suggested Mitigation?

Disconnect vulnerable Exchange servers from the internet until a patch can be applied.

Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.