Unpatched Microsoft Exchange servers hit with ProxyShell attack

Researchers have identified 140+ webshells launched against 1,900 unpatched Microsoft Exchange servers.

Researchers have identified 140+ webshells launched against 1,900 unpatched Microsoft Exchange servers.

The Cybersecurity & Infrastructure Security Agency (CISA) issued an urgent security alert about a sudden and unexpected rise in ProxyShell attacks. The agency has joined hands with the cybersecurity community to spread awareness among organizations to immediately install the latest security update in which Microsoft released patches for Exchange Servers vulnerabilities.

This time around, cybercriminals are targeting a wide range of industries and organizations concerning CISA.

140 Webshells Launched Against Unpatched Servers

Cybersecurity firm Huntress reportedly has discovered 140 webshells launched against 1,900 unpatched Microsoft Exchange servers. Researchers noticed that the ProxyShell vulnerabilities are being exploited by different attackers, aiming to compromise MS Exchange servers across the globe.

The researchers further noted that the ProxyShell vulnerabilities were exploited actively throughout August while threat actors tried to install backdoor access after exploiting the ProxyShell code. The surge in these attacks was noticed from Friday night onwards. 

SEE: Unpatched MS Exchange servers hit by cryptojacking malware

In a tweet posted on August 20, Huntress researcher Kyle Hanslovan revealed that the impacted organizations are incredibly diverse. 

“Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport, and more,” Hanslovan tweeted.

Threat Actors Delivering LockFile Ransomware Too

Huntress researcher John Hammond collaborated with Rich Warren and Kevin Beumont to determine how extensively threat actors exploit these vulnerabilities. According to their analysis, three different MS Exchange Server vulnerabilities are exploited via a transmission protocol port 442 to execute arbitrary commands without any authentication. 

The most common webshells launched against unpatched Exchange servers include XSL Transform, which was used 130 times, Arbitrary File Uploader, Comment Separation, and Obfuscation of the “unsafe” Keyword, Encrypted Reflected Assembly Loader, and Jscript Base64 Encoding and Character Typecasting.

In addition to this, researchers identified that threat actors were exploiting ProxyShell for delivering LockFile ransomware.

The Unique Tactic

The research team assessed a system already infected with LockFile ransomware and ProxyShell and identified an unusual attack tactic where the Exchange internet service configuration file was modified, and a new virtual directory was inserted. This directory helps in redirecting a URL endpoint to another location on the filesystem.


According to Hammond, the attacker can hide the webshell outside of ASP directories’ monitored areas through this tactic.

“If you don’t know to look for this, this is going to slip under the radar and the hackers will persist in the target environment. Additionally, the hidden webshell discovered on this host uses the same XML/XLS transform technique that we have seen previously,” Hammond wrote in his tweet.

About The vulnerabilities

The three ProxyShell vulnerabilities that are exploited include the following:

  • CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass
  • CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend
  • CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE

DEVCORE Research Team’s researcher Orange Tsai discovered these vulnerabilities and demonstrated the exploit chain at the Black Hat and DEF CON conferences and later published detailed information. Beaumont published an nmap plugin that organizations can use to identify unpatched systems.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts