25/08/2021

Update on Microsoft ProxyShell vulnerabilities exploited

Please see the latest two updates on the current Print Spooler Issues:

Our network security partner Secureworks are monitoring reports that attackers are actively exploiting the ProxyShell vulnerabilities in on-premises Microsoft Exchange Servers. Despite the availability of patches for these issues, third-party reporting suggests that a large number of internet-facing Exchange Servers are still vulnerable as of this publication.

ProxyShell refers to a combination of three vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that allow unauthenticated remote attackers to execute code on Microsoft Exchange Servers. Microsoft released security updates for CVE-2021-34473 and CVE-2021-34523 in April and a security update for CVE-2021-31207 in May. These vulnerabilities are similar to but different from the ProxyLogon vulnerabilities that also affected on-premises Exchange Servers and were patched in March.

Threat actors that are reportedly scanning for and exploiting vulnerable servers include the LockFile ransomware group. This group leverages vulnerable Exchange Servers to access and encrypt Windows domains. Secureworks researchers are investigating potential links between LockFile activity and the GOLD DUPONT threat group.

Advice

Customers should review and apply the April and May 2021 Microsoft security updates as appropriate in their environments as soon as possible.

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

    Our partners