Last updated 2021-08-31 UTC 09:30
On August 21, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of active exploitation of ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Exploitation of these vulnerabilities allows an adversary to gain unauthorized access on Microsoft Exchange servers.
Sophos customers are protected by multiple detections for the exploitation of these vulnerabilities. They can be used by threat hunters to perform searches in their own environments. More information can be found in the Sophos News article.
The Sophos Managed Threat Response (MTR) team has published detailed guidance on how to address these ProxyShell vulnerabilities. This guidance will be updated as new information becomes available.
Sophos strongly recommends you take this threat seriously and act immediately, if you have not already done so. Security best practices state you should assume you are impacted and act accordingly. At a minimum you should:
- Backup Exchange IIS/Server logs and then patch all Exchange servers
- Patching only ensures that the vulnerability cannot be further exploited. If you have already been breached, the software patches do not address post-exploit behavior by a threat actor
- If you are a Sophos XDR customer, perform a threat hunt by running queries to determine possible exposure
- Remove any identified web shells
- Ensure endpoint protection is deployed on all endpoints and servers. Verify that all protections have been enabled and your exclusions are kept to a minimum
- Sophos News: ProxyShell vulnerabilities in Microsoft Exchange: What to do
- SophosLabs Uncut: LockFile ransomware’s box of tricks: intermittent encryption and evasion
- CISA Alert
- NakedSecurity: Webshells explained
- CVE-2021-31207 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207)
- CVE-2021-34473 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473)
- CVE-2021-34523 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523)
- 2021-08-26 UTC 09:20 First publication
- 2021-08-31 UTC 09:30 Added SophosLabs Uncut article link in More Info