Tens of thousands of Microsoft Exchange servers (opens in new tab) are still vulnerable to a high-severity flaw used in ProxyNotShell exploits, researchers have warned.
Cybersecurity researchers Shadowserver Foundation said almost 70,000 IPs were vulnerable to CVE-2022-41082, a remote code execution (RCE) vulnerability patched in early November last year.
At press time, Shadowserver’s data are showing at least 57,000 vulnerable IPs, although the information comes with a disclaimer that results were “calculated by summing counts of unique IPs, which means that a “unique” IP may have been counted more than once”.
Mitigations and patches
“Any figures should be treated as indicative rather than exact,” Shadowserver said – however declining figures could be an indication of a positive trend.
There are two high-severity vulnerabilities that were dubbed ProxyNotShell – the abovementioned CVE-2022-41082, and CVE-2022-41040, an elevation of privilege flaw that was also patched in early November. The affected endpoints include Exchange Server 2013, 2016, and 2019.
While there are mitigations available, researchers are urging IT pros to apply the patch instead, as the mitigations can be worked around. One report from BleepingComputer saw ransomware operators using a newly-discovered exploit chain to bypass certain ProxyNotShell mitigations and execute malicious code remotely on target devices.
Exchange servers are valuable to hackers, and as such are often targeted. For example, the infamous LockBit group was recently caught deploying malware via compromised Exchange Servers. Last summer, two servers belonging to one company were infected with LockBit 3.0. As per the report, the attackers first deployed web shell, then escalated privileges to Active Directory admin a week later, stole some 1.3 TB of data, and encrypted systems hosted on the network.
Late last year, researchers uncovered a malicious campaign attempting to exploit the already-fixed ProxyShell vulnerability in Microsoft Exchange, too.
Via: BleepingComputer (opens in new tab)
