4 January 2023

Thousands of MS Exchange servers exposed to ProxyNotShell attacks


Thousands of MS Exchange servers exposed to ProxyNotShell attacks

Nearly 60,000 of Exchange Server instances are still vulnerable to the ProxyNotShell flaws, a new research found.

ProxyNotShell is a moniker for a set of two high-severity Microsoft Exchange vulnerabilities (CVE-2022-41082 and CVE-2022-41040) that have been exploited in hacker attacks linked to a China-based threat actor. CVE-2022-41082 is a code injection issue that allows a remote user with access to PowerShell Remoting execute arbitrary code on vulnerable Exchange systems, while CVE-2022-41040 allows a remote attacker to perform SSRF attacks. Both bugs were fixed as part of Microsoft’s November 2022 Patch Tuesday release.

Last month, cybersecurity firm CrowdStrike revealed that the Play ransomware was using a new exploit chain, dubbed ‘OWASSRF,’ that bypasses ProxyNotShell mitigations to achieve remote code execution on vulnerable servers through Outlook Web Access (OWA).

Shortly after CrowdStrike’s report was released, Shadowserver, a cybersecurity nonprofit dedicated to data collection and analysis, discovered 83,946 Microsoft Exchange Server instances likely vulnerable to CVE-2022-41082. As of January 2, the number of vulnerable servers dropped to 60,865.

Vulnerable Exchange servers are valuable targets for cybercriminals, who often use compromised servers as a way to break into organizations’ networks. For instance, FIN7, a well-known, financially motivated group focused on targeting businesses worldwide, developed an auto-attack system, which scans for multiple Microsoft Exchange remote code execution and privilege elevation vulnerabilities like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.


Back to the list

Latest Posts

Void Arachne targets Chinese-speaking users with Winos backdoor

Void Arachne targets Chinese-speaking users with Winos backdoor

The campaign uses SEO poisoning and disseminates malware via social media and messaging platforms.
19 June 2024
AMD investigates potential cyberattack following claims of data breach

AMD investigates potential cyberattack following claims of data breach

The stolen data allegedly includes sensitive information about AMD's future products employee databases, and customer databases.
19 June 2024
Police shut down online infrastructure used by terrorists for communication and propaganda

Police shut down online infrastructure used by terrorists for communication and propaganda

The websites and communication channels had a global reach, spreading directives and slogans of the Islamic State in over 30 languages.
19 June 2024