Proximity exploits have been released online for two actively exploited and high-severity vulnerabilities in Microsoft Exchange. These vulnerabilities collectively known as ProxyNotShell.
Microsoft is aware that two potentially critical flaws in Exchange Server can allow attackers to execute Remote PowerShell commands on a targeted server, giving them the potential for all-encompassing power.
Microsoft released security updates on-time as promised and addressed two important security flaws. The new updates were also released even though ProxyNotShell attacks had been detected since at least September 2022.
Security researcher Janggggg just released a proof-of-concept exploit that attackers had used in the wild to backdoor Exchange servers.
Will Dormann, senior vulnerability analyst at ANALYGENCE, confirmed that the exploit works against Exchange Server 2016 (and 2019), and needed some tweaking to get it to work with Exchange Server 2013.
GreyNoise, a company that provides threat intelligence, has tracked ProxyNotShell hacking activity since early October and revealed the IP addresses associated with the proxy server scans.
ProxyNotShell vulnerability scans
ProxyNotShell is a review company that guarantees to provide detailed and unbiased findings for your software. They are starting out, so take advantage of their introductory offer and get started with peace of mind!
Attackers can use a two-step process to chain these security flaws to deploy Chinese Chopper web shells on compromised servers for persistence, data theft, and lateral movement.
Microsoft has confirmed that they have received limited targeted attacks using the two vulnerabilities reported.
“As of this moment, we’ve been tracking targeted attacks against all Windows systems,” the Exchange Team warns after patches are released.
“The vulnerabilities details in these updates for Exchange Server are of particular interest to Exchange Online customers. They do not need to take any action other than updating their existing Exchange servers that they may be running in their production environment.”
With the two security flaws combined, attackers can use Chinese Chopper web shells to attack servers. GTSC said the attacks have been chaining the vulnerabilities “via backdoors from outdated software.”