On the occasion of Patch Tuesday of November 2022, Microsoft fixed the ProxyNotShell vulnerabilities within Exchange Server. However, these vulnerabilities remain highly exploited and a new exploit is available: enough to allow massive exploitation.
For several weeks, we have been hearing about ProxyNotShell security vulnerabilities since they have been known since September 2022. Associated with references CVE-2022-41082 et CVE-2022-41040these vulnerabilities allow an attacker to perform an elevation of privilege and compromise the Exchange mail server. As a reminder, these vulnerabilities affect Exchange Server 2013, 2016 and 2019.
To protect yourself, you should update its Exchange server to benefit from the latest security patches. Additionally, you can set up the free CrowdSec tool in order to block common attacks as well as more specific attacks like this. I recently talked about it in a dedicated article, during my series of articles on installing and configuring Exchange.
The security researcher Janggggg posted a PoC exploit used by hackers in attacks that deploys a backdoor on Exchange servers. At the same time, Will Dormann tested this feat and he confirmed thatit worked against Exchange Server 2016 and 2019. For it to work with Exchange Server 2013, it is necessary to make some adjustments in the code.
The trend is clear: cybercriminals seek to exploit ProxyNotShell vulnerabilities to compromise Exchange servers and use it as an initial connection point with the aim of compromising the rest of the infrastructure. This new exploit is proof that the threat is real.
In some cases, as revealed by GreyNoise, the goal is to deploy the Chinese Chopper web shell after exploiting the two CVEs mentioned above (the chain exploitation of these two flaws is necessary to compromise the server).
If you have an Exchange server, remember to update it without delay.
#Microsoft #Exchange #ProxyNoShell #exploit #born