According to the Cybersecurity and Infrastructure Security Agency (CISA), malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-3447CVE-2021-3452, and CVE-2021-3120. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. 

CISA is urging organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.

Just as it happened in March, after additional technical details were disclosed about the three security vulnerabilities, security researchers and threat actors could recreate a working ProxyShell exploit, scan and, ultimately, hack Microsoft Exchange servers using the exploit, Bleeping Computer reports. 

And while the payloads were initially harmless, threat actors have started to deploy LockFile ransomware payloads, Bleeping Computer says. Indications are that the attackers gain access to victims’ networks via Microsoft Exchange Servers and then use the incompletely patched PetitPotam vulnerability to gain access to the domain controller, and then spread across the network, Symantec Threat Hunter Team has observed. 

LockFile ransomware - previously unseen - was first observed on the network of a U.S. financial organization on July 20, 2021, by the Symantec Threat Hunter team, with its latest activity seen as recently as August 20. LockFile has been seen in organizations worldwide, with most of its victims based in the U.S. and Asia. Victims are in manufacturing, financial, engineering, legal, business, and travel and tourism sectors.

“The speed with which threat actors weaponized the ProxyShell vulnerabilities highlights why having good threat intelligence is critical,” says Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response. “This vulnerability was discussed openly, and the consensus among researchers was that weaponization was imminent. Those organizations with that early warning were able to prioritize patching and should not be impacted.”

In addition, security firm Huntress Labs claims it has already found more than 140 web shells deployed by threat actors on more than 1,900 compromised Microsoft Exchange servers. Even though the CISA warning is timely, William says, by the time there’s a warning about active exploitation in the wild, threat actors have likely compromised any Internet-facing assets. Organizations that haven’t patched yet should be proceeding under the assumption that they’ve been compromised. Installing the patch now will prevent future exploitation, but any backdoors already deployed by threat actors will remain after the patch.”

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, notes that organizations who have not already taken action should take the next three urgent steps:

  1. Deploy updates to affected Exchange Servers.
  2. Investigate for exploitation or indicators of persistence.
  3. Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.

Bar-Dayan explains, “If for some reason you cannot update your Exchange servers immediately, Microsoft has released instructions for how to mitigate these vulnerabilities through reconfiguration. Microsoft also released an Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus, available here. It’s important to remember that the mitigations suggested are not substitutes for installing the updates, and the patches should be deployed as soon as possible.

Remember, a ransomware attack almost always takes advantage of known yet unaddressed security vulnerabilities. It is essential to maintain good cyber hygiene to stay a step ahead of threat actors.”