Last updated 2021-08-31 UTC 09:30
On August 21, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of active exploitation of ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Exploitation of these vulnerabilities allows an adversary to gain unauthorized access on Microsoft Exchange servers.
Sophos customers are protected by multiple detections for the exploitation of these vulnerabilities. They can be used by threat hunters to perform searches in their own environments. More information can be found in the Sophos News article.
The Sophos Managed Threat Response (MTR) team has published detailed guidance on how to address these ProxyShell vulnerabilities. This guidance will be updated as new information becomes available.
Sophos strongly recommends you take this threat seriously and act immediately, if you have not already done so. Security best practices state you should assume you are impacted and act accordingly. At a minimum you should: