25 Aug 2021

Last updated 2021-08-31 UTC 09:30

On August 21, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of active exploitation of ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Exploitation of these vulnerabilities allows an adversary to gain unauthorized access on Microsoft Exchange servers.

Sophos customers are protected by multiple detections for the exploitation of these vulnerabilities. They can be used by threat hunters to perform searches in their own environments. More information can be found in the Sophos News article.

The Sophos Managed Threat Response (MTR) team has published detailed guidance on how to address these ProxyShell vulnerabilities. This guidance will be updated as new information becomes available.

Sophos strongly recommends you take this threat seriously and act immediately, if you have not already done so. Security best practices state you should assume you are impacted and act accordingly. At a minimum you should:

Backup Exchange IIS/Server logs and then patch all Exchange servers
- Patching only ensures that the vulnerability cannot be further exploited. If you have already been breached, the software patches do not address post-exploit behavior by a threat actor
If you are a Sophos XDR customer, perform a threat hunt by running queries to determine possible exposure
Remove any identified web shells
Ensure endpoint protection is deployed on all endpoints and servers. Verify that all protections have been enabled and your exclusions are kept to a minimum

More Info

Change Log

2021-08-26 UTC 09:20 First publication
2021-08-31 UTC 09:30 Added SophosLabs Uncut article link in More Info

Information regarding ProxyShell

More Info