>
Tens of thousands of Microsoft Exchange servers (opens in new tab) are still vulnerable to a very serious flaw used in ProxyNotShell exploits, researchers warn.
Cybersecurity researchers Shadowserver Foundation said nearly 70,000 IPs were vulnerable to CVE-2022-41082, a remote code execution (RCE) vulnerability that was patched in early November last year.
At the time of writing, Shadowserver’s data shows at least 57,000 vulnerable IPs, though the information comes with a disclaimer that the results are “calculated by adding counts of unique IPs, meaning that a “unique” IP can be used more than once. may have been counted”.
Restrictions and Patches
“All numbers should be taken as indicative rather than exact,” Shadowserver said, but declining numbers could be an indication of a positive trend.
There are two very serious vulnerabilities that were referred to as ProxyNotShell: the aforementioned CVE-2022-41082 and CVE-2022-41040, an elevation of privilege that was also patched in early November. The affected endpoints are Exchange Server 2013, 2016 and 2019.
While fixes are available, researchers are urging IT professionals to apply the patch instead, as the fixes can be bypassed. A notification from Beeping computer saw ransomware operators use a newly discovered exploit chain to bypass certain ProxyNotShell mitigations and remotely execute malicious code on target devices.
Exchange servers are valuable to hackers and are therefore often targeted. For example, the infamous LockBit group was recently caught deploying malware through compromised Exchange servers. Last summer, two servers of one company were infected with LockBit 3.0. According to the report, the attackers first deployed a web shell, then escalated privileges to the Active Directory administrator a week later, stole some 1.3 TB of data and encrypted systems hosted on the network.
Late last year, researchers discovered a malicious campaign that also attempted to exploit the already patched ProxyShell vulnerability in Microsoft Exchange.
Through: Beeping computer (opens in new tab)