Microsoft ProxyShell bugs: Patch immediately!

Published 9/1/2021, 9:30am

Recently disclosed Microsoft ProxyShell and PetitPotam bugs (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have been chained together to deliver ransomware attacks, according to news reports last week. Security researchers are billing this threat as worse than the ProxyLogon Exchange Vulnerabilities that made headlines in March 2021.

The ransomware gang known as LockFile leveraged the bugs to hack into Microsoft Exchange servers and encrypt Windows domains. While patches for the bugs were issued in April and May, Microsoft did not assign CVE IDs to the vulnerabilities until July, ultimately preventing some businesses from knowing they had vulnerable systems. In addition, more technical details on the bugs were recently published, enabling threat actors to reproduce the exploit.

Currently, threat actors are scanning for vulnerable systems and then hacking Microsoft Exchange Servers using these ProxyShell bugs. Once the Exchange server has been exploited, the cybercriminals use the PetitPotam vulnerability to take over the domain controller.

Next Steps

Last week, Microsoft released security updates and guidance for these three vulnerabilities. The company is urging businesses to patch systems immediately if they have not already done so. Microsoft’s warnings come several days after the Cybersecurity and Infrastructure Security Agency (CISA) issued warnings about the exploitation of the ProxyShell vulnerabilities. Organizations that have implemented the Microsoft patches issued in May and Jule are protected from this attack.