Attackers Scanning for Microsoft Exchange ProxyShell Vulnerabilities
Threat actors are actively scanning for Microsoft Exchange ProxyShell vulnerabilities. Microsoft released fixes for the three vulnerabilities in April; advisories were published in May and July. Technical details about the flaws were disclosed at the Black Hat conference last week.
Three CVEs are being leveraged to exploit the vulnerability: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The first two were patched in April’s Exchange KP5001779 cumulative update, the third in the May KB003435 update. Make sure that you’ve applied the current Exchange updates, and that you’re leveraging Azure Sentinel to check IIS logs to the “/autodiscover/autodiscover.json” and “/mapi/nspi/” strings to detect targeting of your servers for exploitation of the vulnerabilities.
Orange Tsai's talk at Defcon outlined a whole family of possible new vulnerabilities in Exchange. It is unlikely that ProxyShell will be the last such vulnerability. Keep your Exchange patching playbooks handy. It would not surprise me to have Microsoft patch more critical Exchange vulnerabilities later today (or in the next couple months).
Read more in
Bleeping Computer: Microsoft Exchange servers scanned for Proxy Shell vulnerability, Patch Now
Security Week: Microsoft Exchange Servers in Attacker Crosshairs