The Huntress team has been actively researching the ProxyShell exploit as well as spreading awareness on how you can protect your environments from this attack.
There’s some confusion in the community regarding the differences between ProxyShell and ProxyLogon. We want to clear things up so users can patch as needed.
ProxyShell: Disclosed in August 2021
Presented at Black Hat USA 2021
ProxyShell is the more recent exploit that’s impacting on-premises Microsoft Exchange servers. Threat actors are actively scanning for vulnerable Microsoft Exchange servers, exploiting those that have not been properly patched since April or May. To be clear, those who have not patched their on-prem Microsoft Exchange servers since July are vulnerable to ProxyShell.
Once threat actors exploit a system with ProxyShell, they have access to remote code execution, or the ability to run any commands or execute any programs that they’d like as an absolute administrator account. In other words, on-prem Exchange servers that remain unpatched are inviting threat actors to gain “god mode” access to their server and do as they please—move laterally through the environment, grab sensitive information, deploy ransomware—you name it.
We recommend updating to the latest security patch, monitoring for new indicators of compromise and staying up-to-date on new information as it’s released. You can follow the latest developments on our rapid response blog and gather intel from the community on our Reddit post.
This attack chain was presented at the Black Hat USA 2021 Conference in Orange Tsai’s presentation ProxyLogon is Just the Tip of the Iceberg. (Check out the presentation slides, the video proof-of-concept demonstration and the presentation recording.)
ProxyLogon: Disclosed in March 2021
The Mass Exploitation of On-Prem Exchange Servers
ProxyLogon is basically ProxyShell’s mother. ProxyLogon is the vulnerability that HAFNIUM unleashed in March 2021, which gave threat actors remote code execution abilities from anywhere in the world with internet access to reach the victim server. Because ProxyLogon happened, ProxyShell was able to enter the arena and exploit systems that have not been fully patched to address the original ProxyLogon vulnerability.
At the time of this writing, the scope of the ProxyLogon exploit far surpasses that of ProxyShell. The number of webshells discovered (so far) during the ProxyShell exploit is just around 380. ProxyLogon, on the other hand, invoked double that amount—and compromised servers are still surfacing. That isn’t to say that ProxyShell shouldn’t be taken just as seriously, though.
So Why Is ProxyShell Notable?
Any exploit that allows an attacker to gain remote code execution abilities isn’t to be taken lightly. This access essentially places a keyboard and mouse in front of the attacker along with an invitation to do what they please within your environment. And while ProxyShell currently isn’t on the same scale as ProxyLogon, it’s important to note that the puzzle pieces are there, and it could potentially impact more systems and grow into a larger problem if folks don’t patch.
Our best advice is to—you guessed it—patch. If you’re sure you’ve patched your on-prem servers with the latest patch, double- and triple-check to be sure that’s really the case. Doing so can save you and your team many potential headaches.