Microsoft logo seen above its headquarters showing ransomware attacks on Exchange servers

LockFile Ransomware Attacks Exploit ProxyShell Vulnerabilities on Unpatched Microsoft Exchange Servers

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency alert over Microsoft Exchange ProxyShell vulnerabilities being actively exploited by threat actors in the wild.

At the same time, cybersecurity firm Huntress discovered over 140 webshells launched against 1,900 unpatched Exchange servers. Huntress security researcher Kyle Hanslovan said that impacted organizations include manufacturing, seafood processors, auto repair shops, industrial machinery, and a small residential airport, among others.

Similarly, several security researchers detected malicious activity leveraging ProxyShell vulnerabilities for potential LockFile ransomware attacks.

ProxyShell is a chain of vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 discovered by DevCore security researcher Orange Tsai and reproduced during the August Black Hat security conference.

Hackers leveraging Exchange Servers for LockFile ransomware attacks

Threat actors dropped webshells using ProxyShell vulnerabilities to gain persistence on the affected Microsoft Exchange servers. They used the webshells to install backdoors for Lockfile ransomware attacks and execute Petitpotam attacks to take over the servers.

Huntress researchers discovered evasion tactics involving virtual directories to redirect the endpoint to another location away from the ASP webroot directories. Additionally, the webshell uses the same XML/XLS transform technique previously observed in earlier attacks.

Other opportunists exploiting ProxyShell vulnerabilities include coin miners like WannaMine, according to Huntress security researcher John Hammond. Other cybercriminals could also leverage ProxyShell vulnerabilities to execute ransomware attacks.

Web traffic analysis showed interaction with python User-Agent from specific IP addresses, indicating automated interaction. However, some requests originated from ordinary browsers, suggesting potential human interaction.

Former Microsoft employee Kevin Beaumont criticized Microsoft for downplaying the vulnerabilities as standard monthly Exchange patches for several years. He added that the tech giant failed to allocate CVEs for the Microsoft Exchange vulnerabilities four months after releasing security patches. According to Beaumont, the situation potentially misled many organizations about the severity of the vulnerabilities.

Security researchers have also discovered mass scanning activity searching for ProxyShell vulnerabilities.

Shodan scanning of vulnerable servers produces more than 30,000 vulnerable Microsoft Exchange servers, most of which are sitting ducks for ProxyShell exploits and potential ransomware attacks.

According to Computer Weekly, half of Exchange servers in the UK were vulnerable to ProxyShell exploits.

ProxyShell vulnerabilities weaponized quickly by threat actors

“Attackers began scanning for servers vulnerable to the ProxyShell attack chain almost as soon as Orange Tsai’s presentation went live,” Claire Tills, senior research engineer at Tenable, said. “Given the popularity of its predecessor, ProxyLogon, with attackers, we knew exploitation was coming.”

Tilly noted that while ProxyShell vulnerabilities were being used for LockFile ransomware attacks, “other actors will integrate it into their attacks.”

CISA highlighted the likelihood of threat actors exploiting ProxyShell vulnerabilities to execute attacks. The federal agency advises organizations to install the latest Microsoft security update.

“An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”

Although Microsoft released the patches in May 2021, security researchers successfully reproduced the exploit leading to the current predicament.

“The speed with which threat actors weaponized the ProxyShell vulnerabilities highlights why having good threat intelligence is critical,” noted Jake Williams, Co-Founder and CTO at BreachQuest. “This vulnerability was discussed openly and the consensus among researchers was that weaponization was imminent. Those orgs with that early warning were able to prioritize patching and should not be impacted.”

Williams added that while CISA’s alert was helpful, hackers had already started exploiting the flaw in the wild. Consequently, organizations that haven’t patched their systems should consider themselves already compromised. He is, however, urging organizations to install the patches to prevent future attacks.

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, said that organizations that hadn’t installed the patches should take three actions to prevent attacks.

  1. Deploy updates to affected Exchange Servers.
  2. Investigate for exploitation or indicators of persistence.
  3. Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.

He noted that ransomware attacks usually exploited “known, yet unaddressed, security vulnerabilities” thus making it imperative to maintain good cyber hygiene and stay ahead of threat actors.