There is an active exploitation of the ProxyShell vulnerabilities which were earlier patched this May on Microsoft Exchange Servers, along with the deployment of LockFile ransomware on the compromised systems.
According to Huntress Labs, the vulnerabilities could enable attackers to bypass ACL controls, with elevated privileges on the Exchange PowerShell backend, which effectively permits the attacker to perform remote code execution.
How the ProxyShell Flaws are exploited in Microsoft Exchange Server?
Hackers exploits the vulnerabilities in Microsoft Exchange, which is dubbed ProxyShell, to install a backdoor for unauthenticated access and later exploitation.
The attack involves three chained Exchange vulnerabilities, namely: CVE-2021-31207, CVE-2021-34523 and CVE-2021-34473. The researchers at Huntress Labs claims that attackers are actively exploiting these vulnerabilities against vulnerable Microsoft Exchange Servers, with over 100 incident reports related to this exploit sent on August 17 and 18.
Attackers get remote access to the compromised servers through Web shells, however it isn't clear exactly the extent to which all the flaws were used. Over 140 Web shells have been detected across no fewer than 1,900 unpatched Exchange Servers to date, according to Huntress Labs.
How to Mitigate Against the Active Exploitation of ProxyShell Vulnerabilities?
The ProxyShell Vulnerabilities could be exploited to execute arbitrary code on a vulnerable machine.
Therefore, it is highly recommended that organizations should identify vulnerable systems on their networks and apply Microsoft's Security Update from May 2021, which updates remediates all three ProxyShell vulnerabilities and protect against the attacks.