Important Update Exchange Hack: Attackers are now actively exploiting ProxyShell vulnerability!
by Svenja Koch
In March, Microsoft announced that there are four vulnerabilities in the Exchange Server that are being actively exploited. The combination of these vulnerabilities makes the current wave of attacks so dangerous because they grant full access to the affected Exchange Server. The BSI had classified the Exchange hack for companies as "IT threat level: 4 / Red". Now a new wave of attacks is spreading after security researcher Orange Tsai had already presented new attacks on the software at the Black Hat 2021 conference at the beginning of August.
Companies should immediately provide the servers with all available updates if this has not already been done. The updates were released months ago and close the gaps.
ProxyShell is the name of an attack that uses three chained Microsoft Exchange vulnerabilities to perform unauthenticated remote code execution. No less than three CVE numbers will go down in history under the name ProxyShell:
- CVE-2021-34473
- CVE-2021-34523
- CVE-2021-31207
They were fixed by Microsoft in April and May with KB5001779 and KB5003435.
Also important to know: Microsoft PrintNightmare security updates only partially available!
Several printer vulnerabilities have been threatening Windows for some time. Attackers are now also targeting these again and infecting systems with malicious code - there is also an urgent need for administrators to take action here!
In June, a security researcher disclosed a zero-day Windows print spooler vulnerability called PrintNightmare (CVE-2021-34527). This is found in the printer implementation of all Windows and Windows Server versions. If exploited, this vulnerability allowed remote code execution and the ability to gain local SYSTEM privileges. This also affects domain controllers, so there is a risk that entire networks could be compromised. Problematic here is the fact that there is as yet no patch for a recently discovered vulnerability (CVE-2021-36958, "high") in printer management. Admins have to protect systems, for example, by deactivating the print spooler service. However, this means that it is no longer possible to print locally or via the network.
Here, too, the urgent recommendation is: patch!
According to Heise online, the extent of the attacks is not known. Nevertheless, admins should ensure via Windows Update that their systems are up to date and that all currently available PrintNightmare patches (CVE-2021-1675 "high", CVE-2021-34527 "high") are installed.
When Microsoft will close the currently unpatched vulnerability (CVE-2021-36958) is not known at this time. In the warning message on the vulnerability, Microsoft only mentions the monthly patch day, for which the next date is scheduled for September.