Alert Urges Organizations to Patch as Vulnerabilities Are Exploited
Four months after Microsoft released the first security update for three vulnerabilities in several versions of its on-premises Exchange Server software – collectively called ProxyShell – the company has issued its first official guidance on the actively exploited flaws on Wednesday.
“If you have not installed either of these security updates, then your servers and data are vulnerable. As we have said several times, it is critical to keep your Exchange servers updated with the latest available cumulative update and security update,” the Microsoft Exchange Team says.
Microsoft has issued a series of bulletins and security updates since the first patches for the three Exchange Server vulnerabilities, but in this week’s statement, the company advised all organizations running the software to immediately install patches if they have not already done so.
The ProxyShell vulnerabilities in Exchange Server 2013, 2016 and 2019 are:
Microsoft’s warning comes five days after the Cybersecurity and Infrastructure Security Agency issued a statement warning that attackers were actively exploiting the ProxyShell vulnerabilities.
Microsoft says organizations that have implemented the ProxyShell patches that the company pushed out in May and July are protected.
Exchange servers, however, are vulnerable if: they are running an older, unsupported cumulative update without the May security update; they are running security updates for older, unsupported versions of Exchange that were released in March; or they are running an older, unsupported cumulative update with the March 2021 Exchange on-premises mitigation tool applied.
“In all of the above scenarios, you must install one of the latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities,” Microsoft’s Exchange team says.
The ProxyShell vulnerabilities were discovered by Devcore security researcher Cheng-Da Tsai – also known as Orange Tsai – who demonstrated an exploit at the Pwn2Own contest in April. Earlier, Orange Tsai had uncovered the ProxyLogon and ProxyOracle flaws in Exchange servers.
The ProxyLogon vulnerabilities in Exchange prompted alerts in March and April from CISA. Those flaws affected on-premises versions of the email servers that are primarily used by smaller businesses and local government agencies. In July, the Biden administration attributed some of the initial attacks exploiting ProxyLogon to China’s Ministry of State Security, aka MSS (see: Can the US Curb China’s Cyber Ambitions?).
The ProxyShell vulnerabilities were called “worse than Proxylogon” by Kevin Beaumont , head of the security operations center for London-based fashion retail giant Arcadia Group, who noted that his honeypots had started to see increased activity from certain malicious IP addresses.
“These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March. They are more exploitable, and organizations largely haven’t patched,” Beaumont says.
Meanwhile, Symantec researchers warned in a report that a recently discovered ransomware gang called LockFile appears to have exploited the ProxyShell flaws to launch attacks.
Symantec estimates that LockFile has targeted at least 10 organizations in the U.S. and Asia, although it’s not clear if all of these incidents involved ProxyShell exploits.