Detecting New ProxyShell Exploitation Flow

Make sure you have secured your Microsoft Exchange Servers against ProxyShell vulnerabilities since hackers are inventing new tricks to benefit from the exposed instances. Currently, researchers observe multiple phishing campaigns that utilize the nefarious flaws for malware delivery. Additionally, ProxyShell bugs are increasingly used in a range of operations aimed at ransomware infection.

New Attack Chains to Deliver Multitude of Threats

According to the recent inquiry by Mandiant, adversaries leverage ProxyShell flaws to drop webshells on the exposed systems in an innovative stealthy manner. In some of the analyzed intrusions, the webshell stage is omitted entirely, with attackers relying on hidden privileged mailboxes to take over accounts and perform other covert actions.

With the updated exploitation flow for ProxyShell, an avalanche of attacks broke forth. For example, the DFIR report details a nefarious operation by APT35 (Charming Kitten, TA453) launched in late September 2021. The hacker collective used ProxyShell exploits to perform reconnaissance on the attacked systems, proceed with LSASS dumping, and proxy RDP connections into the environment. As a result, the actor managed to infect systems domain-wide using BitLocker and DiskCryptor ransomware samples. 

Another malicious campaign exploiting ProxyShell vulnerabilities was recently detailed by Trend Micro. Particularly, attackers leveraged ProxyShell and ProxyLogon flaws to malspam replies to the existing email threads and infect victims with SquirrelWaffle loader. Phishing emails deliver boobytrapped Word and Excel files featuring malicious macros. In case enabled, a script launches a DLL loader which in turn downloads SquirrelWaffle payload. The final malicious sample is either CobaltStrike or Qbot. TheAnalyst cybersecurity researcher provides additional details of this campaign, claiming that TA557 (tr01/TR) collective stands behind it.

ProxyShell Vulnerabilities

ProxyShell is a single title for a trio of separate flaws (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) that, if chained, allow hackers to reach the admin level of access and perform remote code execution on vulnerable Microsoft Exchange servers. Multiple Exchange Server versions are affected, including 2013, 2016, and 2019.

Although ProxyShell flaws were publicly disclosed in July, Microsoft addressed these notorious security issues back in May 2021. All users with May or July patches installed have their systems secure. Yet, the recent Shodan search indicates over 23,000 servers being still exposed to intrusions, enabling hackers to compromise systems worldwide.

New ProxyShell Attacks Detection

To help security practitioners detect malicious activity associated with new ProxyShell exploitation attempts, you can download a batch of dedicated detection content available in the Threat Detection Marketplace repo:

Possible New ProxyShell [CVE-2021-34473/CVE-2021-34523/CVE-2021-31207] Exploit to Write Web Shell [ProxyNoShell] (via process creation)

Conti Ransomware Execution with ProxyShell Exploit

Possible New ProxyShell [CVE-2021-34473/CVE-2021-34523/CVE-2021-31207] Exploitation Flow [ProxyNoShell] (via registry_event)

Exchange Exploit / Ransomware

Searching for the best SOC content compatible with your SIEM, EDR, and NTDR solutions in use? Explore SOC Prime’s Detection as Code platform to address your custom use cases, boost threat discovery and threat hunting, and get a complete visualization of your team’s progress. Passionate about threat hunting and eager to contribute to the industry-first SOC content library? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty