Get Started

In this article

CyOps Important Security Update – ProxyShell


August 11, 2021
Last Updated: November 20, 2024
Share on:

Introduction

A new attack vector named ProxyShell was recently disclosed. ProxyShell is a Microsoft Exchange server vulnerability which provides an attacker with unauthenticated remote code execution (RCE) capabilities.

Microsoft Exchange Server is a mail and calendaring server that runs exclusively on Windows Server operating systems and is used by many organizations worldwide.

Microsoft released security updates for the ProxyShell vulnerabilities in April and May of 2021. However, many organizations still haven’t fully patched their Exchange servers and are still vulnerable to this attack.

This is part of an extensive series of guides about Network Attacks.

Microsoft Exchange Server – The Holy Grail

In the last few months there has been a trend of threat actors targeting Microsoft Exchange servers. Exchange servers are a critical entry point to an organization’s network – gaining a foothold in this component enables threat actors to easily infiltrate the inner network. Examples of this attack wer recently published by Israeli press regarding Chinese cyber-attacks on Israeli government, banks and high-tech organizations by exploiting Microsoft Exchange servers. Exchange servers also hold personal and confidential data which can be used in several ways to gain profit.

Enterprises often use on-premises Exchange servers that, if left unpatched, can widen the attack surface. According to Shodan.io, 400,000 on premise Exchange servers are open to the Internet, increasing the possibility of finding a vulnerable server which may lead to a successful exploit.

One of the most exploited Exchange vulnerabilities is ProxyLogon which was used by the HAFNIUM APT to deploy the China Chopper web shell and steal data from a compromised network. Following its disclosure, the ProxyLogon vulnerability was also used by other malicious threat actors for different purposes such as deploying ransomware and exfiltrating sensitive data.

Stop advanced cyber
threats with one solution

Cynet’s All-In-One Security Platform

  • Full-Featured EDR and NGAV
  • Anti-Ransomware & Threat Hunting
  • 24/7 Managed Detection and Response

Achieved 100% detection in 2023

review stars

Rated 4.8/5

review stars

2024 Leader

ProxyShell – The New Old Friend

As part of the 2021 Black-Hat conference, Orange Tsai, a security researcher shared his discovery of the ProxyShell attack vector which is a combination of 3 vulnerabilities chained together to provide the attacker with an unauthenticated remote code execution (RCE). These chained vulnerabilities can be exploited remotely via Microsoft Exchange’s Client Access Service (CAS) which runs on port 443 in Internet Information Services (IIS).

  • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
  • CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege Vulnerability

The attack is comprised of the following steps:

Graphical user interface, application Description automatically generated

Technical analysis of the POC’s can be found in Orange Tsai’s Black-Hat presentation.

Tips From the Expert

In my experience, here are tips that can help you better defend against Microsoft Exchange vulnerabilities like ProxyShell:

  1. Prioritize Patching: Ensure your Exchange servers are up-to-date with the latest patches to address vulnerabilities like ProxyShell.
  2. Restrict External Access: Limit external access to Exchange’s Client Access Service (CAS) on port 443 to reduce the attack surface.
  3. Leverage Web Application Firewalls (WAFs): Deploy a WAF to filter and block suspicious traffic targeting Exchange servers, preventing exploitation attempts.
  4. Comprehensive Monitoring and Logging: Regularly review Exchange server logs for unusual activity and enable advanced logging to track suspicious scripts.
  5. Endpoint Detection and Response (EDR): Deploy EDR solutions to identify and mitigate post-exploitation activity on Exchange servers, such as ransomware deployment or data exfiltration.

Eyal Gruner is the Co-Founder and CEO of Cynet. He is also Co-Founder and former CEO of BugSec, Israel’s leading cyber consultancy, and Versafe, acquired by F5 Networks. Gruner began his career at age 15 by hacking into his bank’s ATM to show the weakness of their security and has been recognized in Google’s security Hall of Fame.

Cynet Protection and Recommendations

The Cynet Security Research team has already deployed new rules aimed to detect and prevent exploitation attempts of these vulnerabilities and is currently working on additional detections to increase the visibility around it.

We strongly advise all customers to install the latest security updates on their Exchange servers which can be found here.

The CyOps team monitors our customers’ environments 24/7 and will be in contact in case any indicators of this vulnerability are detected in your environment.

Contact Cynet CyOps
(Cynet Security Operations Center)

Cynet CyOps is available to clients for any issues 24/7, questions or comments related to Cynet 360. For additional information, you may contact us directly at:

CyOps Mailbox – [email protected]

CyOps Team Leader – [email protected]

CyOps Manager – [email protected]

Israel: +972 72-3369736

UK: +44 2032 909051

US : +1 (347) 474-0048

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: