Client advisory: ProxyShell vulnerability remediation

The below information is a guide compiled by CFC Response globally to assist organizations in detecting, eradicating and remediating the ProxyShell vulnerabilities in Microsoft Exchange Server.

Cyber Advisory 3 min Fri, Aug 27, 2021

Take a few moments to read though this guidance and share with the person responsible for IT security within your business to ensure your computer systems stay safe.

 

Recommended response steps

  1. Deploy July 2021 security updates for Microsoft Exchange.
  2. Investigate for exploitation or indicators of persistence.
  3. Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.

Microsoft recommends that you update and investigate in parallel, but if you must prioritize one, prioritize updating and mitigation of the vulnerability.

 

Deploy updates

Affected devices include:

  • Exchange Server 2013 up to CU23
  • Exchange Server 2016 up to CU20
  • Exchange Server 2019 up to CU9

 

Exchange Online, AKA Office 365 or Microsoft 365, is not affected. Exchange Server 2010 is not affected, but reached end-of-life in October 2020, so we strongly recommend not to use Exchange Server 2010.

Microsoft recommends using their Exchange Server Health Checker script to get an inventory of server patch levels. This script is available here: https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/

 

Updates are available here: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421  

If for whatever reason you cannot immediately update your server, the recommended temporary mitigation strategy is to block incoming, external traffic over port 443 to Exchange servers.


General hardening

Please see below for some general suggestions on enhancing your organization’s security posture:

  • Patch early and patch often so that attackers do not have the time to exploit a vulnerability before you have had the chance to patch it.
  • Enforce the use of strong, unique passwords across your infrastructure and enforce an account lockout policy. This will prevent attackers guessing passwords or cracking hashes to gain unauthorised access.
  • Ensure protection mechanisms, such as firewalls and an antivirus solution, are in place. A local firewall and a boundary firewall are recommended for an in-depth approach. Ensure your antivirus engine and definitions are kept up to date.
  • Ensure multi-factor authentication is in place for all external access, such as Outlook Web Access.