ProxyNotShell attack on more than 60,000 Exchange server

Over 60,000 Microsoft Exchange servers have been exposed online and are still being patched against CVE-202241082 remote code execution vulnerability (RCE), one of two security holes targeted by ProxyNotShell attacks.

A by security researchers from the Shadowserver Foundation, an organization that works to improve internet security, revealed that almost 70,000 Microsoft Exchange server were vulnerable to ProxyNotShell attack according to their version information (the servers’ x_owa_version header).

New data released Monday shows that there has been a decrease in the vulnerability of Exchange Servers , from 83.946 cases detected mid-December to 60.865 on January 2.

Exchange servers vulnerable to ProxyNotShell attacks (Shadowserver Foundation)

These security flaws, known collectively as ProxyNotShell and -41082 , are known to be -CVE-2022-4040 . They affect Exchange Server 2013 and 2016.

An attacker can gain remote or arbitrary code execution via a successful exploit.

Microsoft issued security updates in response to the . ProxyNotShell attacks were detected in wild .

GreyNoise, a threat intelligence company, has been monitoring ongoing ProxyNotShell exploitation since September 30, and now provides detailed information about as well as a list IP addresses that are linked to these attacks.

Map of Exchange servers unpatched against ProxyNotShell (Shadowserver Foundation)

ProxyLogon and ProxyShell attacks also affected thousands

You can protect Exchange servers against incoming attacks by applying the ProxyNotShell patches, released November .

Although mitigation steps were provided by the company, attackers can bypass them, so only servers that are fully patched are safe from compromise.

last month by BleepingComputer that Play ransomware threat agents are using a new exploit to bypass ProxyNotShell mitigations , and gain remote code execution via Outlook Web Access (OWA).

A search reveals large numbers of Exchange servers online. Thousands remain unpatched for ProxyShell or ProxyLogon vulnerability, which made it to the by 2021.

Exchange servers exposed online (Shodan)

Exchange servers can be valuable targets as shown by the financial motivated FIN7 Cybercrime Group, which developed a customized auto-attack platform called Checkmarks. It also includes .

Prodaft threat intelligence firm, which found the platform, said it searches for and exploits Microsoft Exchange remote code execution vulnerabilities and privilege elevation weaknesses, including CVE-20221-34473, CVE-20231-34523 and CVE-20221-31207.

After scanning more than 1.8million targets, FIN7’s platform was used already to penetrate 8,147 businesses, mainly in the United States (16.7%).