Quote:Over the weekend, the Cybersecurity & Infrastructure Security Agency (CISA) issued an urgent alert that attackers are actively attacking ProxyShell vulnerabilities in unpatched Microsoft Exchange Servers, joining researchers in urging organizations to immediately install the latest Microsoft Security Update.
 
Security researchers at Huntress reported seeing ProxyShell vulnerabilities being actively exploited throughout the month of August to install backdoor access once the ProxyShell exploit code was published on Aug. 6. But starting Friday night, Huntress reported a “surge” in attacks after finding 140 webshells launched against 1,900 unpatched Exchange servers.
 
“Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport and more,” Huntress researcher Kyle Hanslovan said in an Aug. 20 tweet.
 
Considering the industries represented, it’s unsurprising that CISA jumped in to call for organizations to shore up defenses against the wave of attacks.
 
Huntress researcher John Hammond, working in collaboration with Kevin Beumont and Rich Warren, were able to establish that in addition to webshell attacks, threat actors were also exploiting ProxyShell to deliver LockFile ransomware.
 
The most common webshells deployed against Exchange servers was XSL Transform (used 130 times), followed by Encrypted Reflected Assembly Loader, Comment Separation and Obfuscation of the “unsafe” Keyword, Jscript Base64 Encoding and Character Typecasting and Arbitrary File Uploader, according to Huntress.