We are currently observing a high volume of incidents related to Microsoft Exchange proxy logon vulnerabilities related to the following CVE’s.
CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-31206 Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability CVE-2021-31207 Microsoft Exchange Server Remote Code Execution Vulnerability
In many cases, we have observed instances where attackers were able to drop web shells before patches were applied. They are returning to utilize those shells for data ex-fil, crypto mining, and ultimately ransom deployment.
We recommend that anyone using Microsoft Exchange on premise with OWA services enabled:
Confirm the server is fully patched and updated to the most recent release from Microsoft. Please understand, the patch will not remediate an already compromised Exchange server.
Review the exchange server(s) for presence of any unexpected “.aspx” or “.aspx.req” files. These could be web shells. They will run under the system context and grant the attacker full root access to the Exchange server.
Review the server for the presence of any of the hashes noted in the most recent CISA alert (https://us-cert.cisa.gov/ncas/alerts/aa21-321a )
Review your environment for any newly created accounts. The attackers have been observed creating accounts as part of the attack chain.
If you identify any indicators of compromise and need further assistance, please reach out at *protected email* .
We will continue to release updates as the situation progresses and we learn more.
Author: Oscar Minks
President of FRSecure, Oscar Minks, is a seasoned security and ethical hacking expert with over two decades of technical experience.
To Oscar, our focus on fixing a broken industry is key. Leading by example and demonstrating the importance of doing things correctly, not just conveniently, remains a major focus in his position among FRSecure's leadership today.
Oscar is a frequent speaker at security events and conventions, the author of FRSecure's Annual State of InfoSec Report , and a leading voice in the security world.