Mirage News
Mirage News
National
 Date Time

Microsoft Exchange ProxyShell Targeting in Australia

Australian Cyber Security Centre

Background / What has happened?

The ACSC is tracking three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 known collectively as ProxyShell) in Microsoft Exchange Servers that allow for unauthenticated remote code execution and arbitrary file upload with elevated privileges.

It is likely that threat actors will actively exploit these vulnerabilities against vulnerable Microsoft Exchange Servers.

  • CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.
  • CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
  • CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of SYSTEM and write arbitrary files.

Microsoft released patches to these vulnerabilities in April and May 2021.

Additional information can be found in the Microsoft advisories:

Mitigation / How do I stay secure?

The ACSC strongly recommends that organisations urgently:

  • Review their networks for vulnerable instances of Microsoft Exchange Servers.
  • Update their Microsoft Exchange Servers as identified in the Microsoft Advisories above.
  • Identify evidence of exploitation activity by reviewing proxy logs for requests to autodiscover/autodiscover.json with response code 200, 301 or 302 and containing one of the following strings:
    • powershell
    • mapi/nspi
    • mapi/emsmdb
    • EWS/
    • X-Rps-CAT

Microsoft has released security patches for the following versions of Microsoft Exchange:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Assistance/ where can I go for help?

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371). The ACSC also recommends that organisations implement web shell mitigation steps.

/Public Release. This material from the originating organization/author(s) might be of the point-in-time nature, and edited for clarity, style and length. Mirage.News does not take institutional positions or sides, and all views, positions, and conclusions expressed herein are solely those of the author(s).View in full here.
Tags: , , , , ,

You might also like

Albinism: The Science Behind the Lack of Color
Stem Cells: The Future of Medicine and Disease Treatment
Untangling the Complexity of Spider Webs
Olfactory Navigation: Can Humans Smell Their Way Home?
Wednesday Lotto Jackpot Goes Unclaimed
The War of the Germs: Kitchen Sponge vs. Toilet