Proxyshell : A new critical windows vulnerability

The months of July and August 2021 have definitely not been a restful time for system administrators or Windows security. After PrintNightmare, a serious new vulnerability called Proxyshell was discovered by Orange Tsai, a cybersecurity researcher who presented it at the Pwn2Own 2021 conference.

What is Proxyshell?

Proxyshell is a set of Windows vulnerabilities that can allow an unauthenticated person to execute arbitrary commands on Microsoft Exchange Server via an exposed port 443.

When the attack succeeds, it allows remote control of the targeted server, which has far-reaching impacts, including gaining access to other systems on the network.

Once the attacker is in, they can perform any malicious activity they want, including ransomware, data exfiltration, etc.

Proxyshell Includes the following vulnerabilities:

CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207

Remote attack without needing to have valid access to your network

The success of the Proxyshell attack involves malicious code execution on the victim server. Typically, executing code on a machine requires the user to have a valid account, logging in with their password before executing their code. With Proxyshell, the user does not need to have an account on the victim machine - and that is very bad.

Having a strong password policy or well-managed network access would not protect you from this attack.

Massive exploitation of the flaw

According to the THESTACK website, hundreds of thousands of Microsoft Exchange servers are vulnerable to "ProxyShell" attacks, and active scans to find these servers are being observed in the wild. It’s expected that there will be numerous victims if security patches (which have been available for a few months) aren't applied quickly.

Affected systems

The following systems are affected by these vulnerabilities:

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019

If you’ve applied the May 2021 Windows updates (KB5003435), the vulnerability is fixed.

Here are StreamScan’s recommendations to protect yourself against Proxyshell

• Immediately apply the Microsoft updates to fix this flaw (KB5003435)

• Block all external communications to port 443 on your Exchange servers

• Implement measures to allow only authorized Powershell scripts to run on your computers. Beyond the protection against this vulnerability, this measure will strongly protect you against ransomware as there is more and more ransomware exploiting Powershell

• Check if your Exchange servers have been scanned for this vulnerability by looking for the strings /autodiscover/autodiscover.json and /mapi/nspi/ in the IIS logs. If you find any, your server has been scanned. If you’ve been scanned, you need to carry a thorough analysis of the server to identify if it has been hacked. Don’t neglect this step!

Why have patches been available since May 2021?

When security flaws are identified, the discoverer may choose to collaborate with the vendor of the affected technology. In this case, the collaboration results in the creation of a security patch that will be made available.

The discoverer and the technology vendor agree on a disclosure date for the vulnerability, to allow as many organizations as possible to apply the patches before it becomes public knowledge. Indeed, when it is known to the general public, massive exploitation attempts by hackers follow.

This is called responsible disclosure of vulnerabilities, and Streamscan fully adheres to this approach because it puts the priority on the security of organizations.

How can Streamscan protect you?

• At the Internet-scale, this type of attack will start with a 24/7 port scan on the Internet looking for vulnerable Exchange servers. Our CDS technology can detect this type of attack and thwart it.

• The exploitation of the attack requires executing a computer program in the form of a script (called webshell if it targets web applications). Our CDS technology can detect a cyberattack at all stages, including port scans and webshell/shellcode injection attempts. When our CDS detects such an attack, it can automatically block it via your firewall, NAC, or other security devices.

• Our CDS technology continuously discovers existing security vulnerabilities in your network, including PrintNightmare or ProxyShell. This means you will be alerted automatically when we discover vulnerable servers in your network.

• Our CDS technology continuously monitors your network for cyber attacks and abnormal or suspicious behavior. It protects your network 24/7 against cyber attacks.

• Through our MDR service, we proactively manage your network security, allowing us to alert you 24/7. We analyze suspicious movements and attacks that target you and deal with them upstream to prevent them from becoming problems. We act as an extension of your IT team and take care of your security.

Need Help? StreamScan is Here.

Whether you need help conducting a security audit, developing a security plan, or implementing a Managed Detection and Response solution, StreamScan has experts with years of experience in the manufacturing sector who can help. Get in touch with us at smbsecurity@streamscan.ai or call us at 1 877-208-9040.