Cybercriminals were seen impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly identified zero-days in Microsoft Exchange Server.
Fake exploits on GitHub
- Microsoft and GTSC revealed that scammers have jumped on the bandwagon to abuse Exchange flaws by creating GitHub repositories for fake exploits.
- The fake proof-of-concept targets Exchange bugs CVE-2022-41040 and CVE-2022-41082.
- Researchers witnessed at least five fake accounts promoting it.
Impersonation tactic for fake exploits
- In an instance, a hacker impersonated well-known security researcher Kevin Beaumont (aka GossTheDog) known for documenting the newly disclosed Exchange flaws and available mitigations.
- The fake repositories did not include anything important, though a README[.]md describes details about new flaws, with an offer attempting to sell only a single copy of a PoC exploit.
- The README files include a link to a SatoshiDisk page where the fraudster is trying to sell the fake exploit.
- The exploit is offered at 0.01825265 Bitcoin worth approximately $364.
Conclusion
Ramping up exploits for unpatched bugs is not a new phenomenon. Skilled threat actors, such as APT groups and nation-sponsored attackers, will always be quick to jump in with scams around it. Stay ahead of threats and related updates by subscribing to our threat intel newsletters.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7723_shutterstock_380478805.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/4e8e_shutterstock_1575442513.jpg)
