Go to listing page

Around 70,000 Exchange Servers Vulnerable to ProxyNotShell

Around 70,000 Exchange Servers Vulnerable to ProxyNotShell
Two security vulnerabilities, tracked as CVE-2022-41082 and CVE-2022-41040 and collectively known as ProxyNotShell, affect Microsoft Exchange servers 2013, 2016, and 2019. Successful exploitation enables attackers to escalate privileges and gain arbitrary code execution on infected servers. 

Threat actors have been abusing ProxyNotShell since it was disclosed, and recently, security researchers discovered that thousands of Exchange servers are vulnerable to the exploitation of the bug. 

Diving into details

Shadowserver Foundation tweeted that around 70,000 Microsoft Exchange servers are vulnerable to ProxyNotShell attacks. 
  • Over 60,000 of the servers are yet to be patched against the CVE-2022-41082 flaw. 
  • However, new data revealed that the number of vulnerable servers decreased from 83,946 in December 2022 to 60,865 on January 2. 
  • The highest number of vulnerable Exchange servers are located in Europe (31,578), followed by North America (18,210) and Asia (6,692), as of January 2.

Bypassing mitigations

While researching Play ransomware activity, Crowdstrike researchers found a new exploit technique (OWASSRF) exploiting Microsoft Exchange servers. 
  • The threat actors abused CVE-2022-41080 and CVE-2022-41082, one of the flaws from ProxyNotShell. 
  • They infiltrated Outlook Web Access (OWA) and leveraged AnyDesk and Plink to maintain access. 
  • This tactic allows Play ransomware operators to bypass ProxyNotShell URL rewrite mitigations and gain remote code execution.

Exchange servers at risk

  • Last month, FIN7 hackers were found using an automated attack that abuses SQL injection and Microsoft Exchange bugs to breach enterprise networks, steal data, and choose targets based on the organization's size. 
  • This attack platform has already been used to compromise 8,147 firms, mainly in the U.S., after scanning for more than 1.8 million targets.

The bottom line

Microsoft Exchange servers are lucrative targets for threat actors as demonstrated by all the successful and attempted exploitation of flaws such as ProxyNotShell and OWASSRF. Moreover, since the mitigation measures can be evaded, only completely patched servers are safe from compromise.
Cyware Publisher

Publisher

Cyware

Previous

Ransomware Attack Against U.S. Organizations Rises: Ems ...

Trends, Reports, Analysis

Next

Raspberry Robin Upgrades to Target Financial and Insura ...

Malware and Vulnerabilities

RESOURCES
Cyber Fusion Center Guide
EVENTS
News and Updates, Hacker News

Get in touch with us now!

1-855-692-9927

Download Cyware Social App

Terms of Use Privacy Policy © 2023