Attackers are currently targeting a number of vulnerabilities known as “ProxyShell”. The vulnerabilities have been closed since April and May. G Data recommends that companies affected patch their Exchange servers immediately.
Around the BlackHat security conference, which takes place annually in Las Vegas, security researchers often publish previously unknown security gaps - this year too: three vulnerabilities in Microsoft Exchange are once again causing work in companies that operate an Exchange server locally. The names are:
- CVE-2021-34473
- CVE-2021-34523
- CVE-2021-31207
"The attacks by the Hafnium group on local Exchange servers in March of this year already led to an extreme number of security incidents," says Tim Berghoff, Security Evangelist at G DATA CyberDefense. “Since attackers are actively trying to exploit the vulnerability, immediate action is very important. The patches have been available since April and May respectively. "
Around 400.000 Exchange servers worldwide affected
The attack, dubbed “ProxyShell”, uses these three security holes to gain access to vulnerable systems. Around 400.000 Exchange servers worldwide are potentially affected. In this context, the research team warns against exposing Exchange servers to the Internet. Exchange instances that can be reached from the Internet via port 443 have an increased risk of being the target of an attack.
Local installations of Microsoft Exchange 2013, 2016 and 2019 are affected.
Parallels to hafnium attacks
As with the Exchange vulnerabilities exploited by the Hafnium group, attackers also began actively searching for vulnerable systems in the case of one of the “ProxyShell” vulnerabilities. It is expected that these activities will increase further in the coming days.
Attack from a new perspective
All security holes have already been patched - two of them since April (patch KB5001779) and one since May (KB5002325). So an update was available before Microsoft was first informed from outside in July. So there are some indications that the gap was known internally and that it was patched "quietly". According to the security researcher with the memorable handle Orange Tsai, ProxyShell has "unprecedented effects", since the investigation of the attack method is not based on memory leaks or logic errors, as usual, but on "an approach that focuses on the architecture of the system".
More at Sophos.com
About G Data With comprehensive cyber defense services, the inventor of the anti-virus enables companies to defend themselves against cybercrime. Over 500 employees ensure the digital security of companies and users. Made in Germany: With over 30 years of expertise in malware analysis, G DATA conducts research and software development exclusively in Germany. The highest standards of data protection are paramount. In 2011, G DATA issued a “no backdoor” guarantee with the “IT Security Made in Germany” seal of trust from TeleTrust eV. G DATA offers a portfolio from anti-virus and endpoint protection to penetration tests and incident response to forensic analyzes, security status checks and cyber awareness training to defend companies effectively. New technologies such as DeepRay use artificial intelligence to protect against malware. Service and support are part of the G DATA campus in Bochum. G DATA solutions are available in 90 countries and have received numerous awards.