We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Exploit:Win32/CVE-2021-31207.A
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat indicates that malicious actors have been using ProxyShell vulnerabilities to drop malicious web shells in Microsoft Exchange Server.
Guidance for end users
Take these steps to help prevent malware infection on your computer.
Guidance for enterprise administrators
Apply these mitigations to reduce the impact of this threat.
- Apply the latest Security Update for Microsoft Exchange Server. This update includes the fixes for all three vulnerabilities: CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207.
- Initiate containment and mitigation: Identify the credentials that were used on the affected endpoint and consider all associated accounts compromised. Reset passwords or decommission the accounts. Stop suspicious processes and isolate affected devices. Block communication with relevant URLs or IPs at the organization’s perimeter. Investigate the device timeline for indications of lateral movement, credential access, and other attack activities.
- Check for possible post-exploitation activities, such as unusual behaviors from users with elevated privileges, or suspicious spawned processes. Check for files created by MSExchangeMailboxReplication.exe with extensions other than *.pst and with web-based file extensions such as *aspx.
- Ensure that Microsoft Defender for Endpoint is up to date, and that real-time behavior monitoring is enabled.
- Contact your incident response team to start the incident response process. If you don't have one, contact Microsoft support for potential forensic analysis and remediation.
