Up to and possibly more than 50% of Microsoft Exchange servers located in the UK appear to be vulnerable to three distinct vulnerabilities that were patched some time ago, but that are now being actively exploited in so-called ProxyShell attacks following the disclosure of technical exploits at Black Hat USA by hacker Orange Tsai.
According to Sky News, besides many thousands of businesses, at-risk organisations in the UK include government bodies and police forces. The three bugs are, respectively, CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.
Analysts at Huntress Security explained that the attack chains the vulnerabilities, giving an attacker the ability to perform unauthenticated remote code execution (RCE). Huntress’ John Hammond said that he had identified nearly 2,000 vulnerable servers, although this has dwindled over the past few days. He said that the firm’s count of compromised servers and reports now stands at around 300.
“We are starting to see post-exploitation behaviour consisting of coinminers – appears to be WannaMine – and ransomware – LockFile – and we continue to urge organisations to patch,” said Hammond.
“We are examining Exchange log files from compromised servers, and we have seen a handful of IP addresses interacting with web shells for further post exploitation. Most of these include a User-Agent (python-requests) that indicates this is automated, while others include a traditional web browser that indicate they have performed some manual interaction.
“Huntress will continue to share new threat intelligence and indicators of compromise as we find it within our own blog post and public Reddit thread,” he added.
Claire Tills, senior research engineer at Tenable, said that malicious actors would have started scanning the internet for vulnerable servers as soon as Tsai delivered their presentation, and given the “popularity” of the recent ProxyLogon vulnerabilities – also disclosed by Tsai at first – exploitation was inevitable.
“These vulnerabilities are likely popular because of the ubiquity of Microsoft Exchange – threat actors know they have a higher potential for successful attacks by targeting services like this. The former success of attacks leveraging ProxyLogon also draws attackers to ProxyShell, relying on attacks and tactics known to work,” she said.
Crisis comms failure
However, the issues should not be taken as an outright indictment of any failure to patch on the part of the at-risk users, but as an apparent failures of communication from Microsoft itself.
At the time of writing, the known facts of this case appear to show that while Microsoft patched the first two vulnerabilities in April 2021, it did not disclose them or assign any of them CVE (Common Vulnerability and Exposure) numbers until July. The third vulnerability was both patched and disclosed in a May update.
This means that many users would, through no fault of their own, have believed the initial update to be trivial and not applied it, when in fact the vulnerabilities have now been shown to be much more severe. Security researcher Kevin Beaumont, who has been tracking ProxyShell since it was first disclosed, described Microsoft’s messaging about the attacks – which he described as worse than ProxyLogon – as “knowingly awful”.
Oz Alashe, CEO and founder of CybSafe, agreed the response to ProxyShell left much to be desired. “The lack of remediation action following the exposure of these vulnerabilities needs to be a lesson in the importance of messaging and vigilant security behaviours,” he said.
“These gaps in our defences will always emerge, but what matters is the speed and clarity of the response. Any ambiguity can lead to vital software updates not being deployed, and leave organisations exposed to malicious actors and ransomware attacks.
“With Gov.uk and the Police.uk among the domains still without the necessary Microsoft email server update, the consequences of not addressing these vulnerabilities are clear,” said Alashe. “Keeping software updated is a simple yet highly effective way we can reduce our cyber risk, and organisations need to ensure they convey its importance with speed and clarity.”
Veritas’ head of technology for the UK and Ireland, Ian Wood, added: “Most IT admins hate patching as much as end users hate software upgrades for their devices – sometimes they don’t install properly, sometimes they break things, and frequently they’re just plain disruptive.
“Furthermore, and what can be most problematic, they require a thorough understanding of what needs patching, where and when. As more ransomware attacks lead to the discovery of more vulnerabilities and, in turn, the creation of more patches, it’s easy for the whole thing to spiral out of control. It’s little wonder then that so many systems aren’t comprehensively patched.”