ProxyShell Exchange Server Flaw Getting Used for Ransomware Attacks
Security researchers are seeing the appearance of LockFile ransomware deployments after attackers gained access to Exchange Server via a so-called "ProxyShell" vulnerability.
ProxyShell is a "Critical"-rated remote code execution vulnerability in Exchange Server products. It's actually a series of three chained vulnerabilities discovered by DevCore security researcher Orange Tsai and shown off earlier this month during the BlackHat security conference.
Since that time, security researchers have detected lots of scanning activity for the ProxyShell vulnerability.
On Aug. 21, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which advises U.S. government agencies on security matters, issued an "urgent" notice stating that "malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207."
That malicious activity leveraging ProxyShell is also being used to drop LockFile ransomware, affirmed Claire Tills, a senior research engineer at security solutions firm Tenable, in a released statement:
ProxyShell is now being used to deploy the LockFile ransomware and I expect other actors will integrate it into their attacks. The threat is certainly real, as CISA warned organizations over the weekend of in-the-wild exploitation. To protect against attacks, organizations should ensure they're applying the patches released in April and May for Microsoft Exchange Servers.
LockFile Ransomware Detection
Lots of systems aren't patched, and Webshells are getting dropped. A honeypot run by former Microsoft employee Kevin Beaumont detected the use of ProxyShell to install ransomware. He described seeing artifacts associated with "LockFile, a new ransomware," per this Aug. 21 DoublePulsar.com post.
LockFile ransomware attackers also are using "the incompletely patched PetitPotam vulnerability" to gain access to Exchange Servers, according to this Aug. 20 post by Symantec researchers.
PetitPotam is a different vulnerability used in NT LAN Manager (NTLM) relay attacks. Microsoft issued a patch for PetitPotam in its Aug. 10 "update Tuesday" patch distribution, as described in security bulletin CVE-2021-36942. However, it's an incomplete fix, according to Will Dormann, a vulnerability analyst at the U.S. Computer Emergency Readiness Team (CERT/CC).
Beaumont explained that the ProxyShell attack method is a more serious threat than the earlier described Exchange Server ProxyLogon vulnerabilities. Microsoft had released out-of-band patches for ProxyLogon in early March. ProxyShell is a greater threat because it doesn't require knowing the e-mail address of an Exchange administrator's mailbox, which was needed for the ProxyLogon attacks. This point was also noted by Rich Warren, a security researcher with NCC Group Research & Technology, in a Twitter post.
Security solutions company Huntress chronicled ProxyShell activity in this Aug. 19 post. Huntress has been monitoring 1,900 Exchange Servers at various patch levels and seeing Webshell activity. At the time, 1,764 of those servers were unpatched.
"This is fairly concerning since we are starting to see active post-exploitation behavior that includes coinminers and ransomware," the Huntress post stated. It added that collaborations with Beaumont and Warren "have helped corroborate that the webshell and LockFile ransomware incidents we're seeing within companies may be related."
Beaumont's post included a Shodan report showing 88,859 systems still vulnerable to ProxyLogon and ProxyShell.
Actions To Take
Microsoft's communications about the ProxyShell vulnerabilities have been "knowingly awful," Beaumont indicated. He suggested that Microsoft should pay security researchers for discovering Exchange vulnerabilities. Microsoft also should describe vulnerabilities in its own products just as it would with other vendors' products, he contended.
Beaumont's post included a list of steps to take, including patching the three ProxyShell vulnerabilities. Organizations also can use Beaumont's nmap script to identify the vulnerabilities. The nmap script is included in the Shodan.io tool, as well.
Beaumont added that "it is incredibly risky to allowlist all activity from w3wp.exe (IIS), as Microsoft recommends."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.