4 January 2023

Thousands of MS Exchange servers exposed to ProxyNotShell attacks


Thousands of MS Exchange servers exposed to ProxyNotShell attacks

Nearly 60,000 of Exchange Server instances are still vulnerable to the ProxyNotShell flaws, a new research found.

ProxyNotShell is a moniker for a set of two high-severity Microsoft Exchange vulnerabilities (CVE-2022-41082 and CVE-2022-41040) that have been exploited in hacker attacks linked to a China-based threat actor. CVE-2022-41082 is a code injection issue that allows a remote user with access to PowerShell Remoting execute arbitrary code on vulnerable Exchange systems, while CVE-2022-41040 allows a remote attacker to perform SSRF attacks. Both bugs were fixed as part of Microsoft’s November 2022 Patch Tuesday release.

Last month, cybersecurity firm CrowdStrike revealed that the Play ransomware was using a new exploit chain, dubbed ‘OWASSRF,’ that bypasses ProxyNotShell mitigations to achieve remote code execution on vulnerable servers through Outlook Web Access (OWA).

Shortly after CrowdStrike’s report was released, Shadowserver, a cybersecurity nonprofit dedicated to data collection and analysis, discovered 83,946 Microsoft Exchange Server instances likely vulnerable to CVE-2022-41082. As of January 2, the number of vulnerable servers dropped to 60,865.

Vulnerable Exchange servers are valuable targets for cybercriminals, who often use compromised servers as a way to break into organizations’ networks. For instance, FIN7, a well-known, financially motivated group focused on targeting businesses worldwide, developed an auto-attack system, which scans for multiple Microsoft Exchange remote code execution and privilege elevation vulnerabilities like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.


Back to the list

Latest Posts

Cyber security week in review: March 24, 2023

Cyber security week in review: March 24, 2023

The world in brief: BreachForums data breach site shut down, Bitcoin ATM maker General Bytes suffers a $1.5M hack, and more.
24 March 2023
Lionsgate streaming platform exposed data of 37M users

Lionsgate streaming platform exposed data of 37M users

Researchers discovered an unprotected ElasticSearch instance that contained about 20GB of data.
23 March 2023
New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

The technique involves the use of inaudible sounds embedded in regular audio and video files to send malicious commands.
22 March 2023