Media Coverage

Attackers are targeting a recently patched vulnerability in the CentOS Control Web Panel that allows remote unauthenticated code execution on vulnerable servers. The bug has been public for several days and the researcher who discovered it has published exploit code for it, as well. The maintainers of CWP released a new version of the software to address the vulnerability, but because CWP is used as an interface for websites, it’s likely that many organizations haven’t updated just yet. CWP is a popular web interface for website hosting. Researcher Numan Turle of Gais Security discovered the vulnerability (CVE-2022-44877) and reported it to Control Web Panel, which released an update in October. The details of the vulnerability emerged last week, along with a proof-of-concept exploit that Turle developed, and now attackers are beginning to exploit the bug. On Wednesday, researchers at The Shadowserver Foundation, which tracks vulnerabilities, exploit attempts, and other Internet trends, reported seeing exploit attempts ramping up against the CWP flaw. And data from GreyNoise, which also tracks attack traffic, shows exploit attempts against this flaw, as well. “We are seeing CVE-2022-44877 exploitation attempts for CWP (CentOS Web Panel/Control Web Panel) instances. This is an unauthenticated RCE. Exploitation is trivial and a PoC published. Exploitation first observed Jan 6th,” Shadowserver said on Twitter.

Windows and Office admins get a busy start to 2023, with Microsoft releasing 98 security fixes for its platforms — that’s a big haul when compared to most Patch Tuesdays and almost double the number it turned out leading into the holiday season. January 2023 Patch Tuesday addresses two zero-day flaws but only one of them is known to be actively exploited, which is the critical Windows flaw, tracked as CVE-2023-21674. This flaw allows an attacker with local privileges to elevate to system, the highest level of privileges. It has a CVSSv3 severity score of 8.8 out of 10. Earlier this month, security research group Shadowserver reported that there were 70,000 unpatched Exchange Servers exposed on the internet to highlight how many were likely still vulnerable to two Exchange Server zero-day flaws Microsoft patched in November, dubbed ProxyNotShell.

Many Microsoft Exchange Servers around the world are still likely to be unpatched. Since Exchange Servers are coupled to the Internet, attackers can exploit existing vulnerabilities to compromise Exchange Servers. At the end of December 2022, security researchers from the Shadowserver Foundation scanned the Internet and came up with a Message on Twitter According to the report, a total of around 70,000 vulnerable Microsoft Exchange servers have been found. The figures show that just under 30,000 servers in Europe are affected. Admins should therefore ensure that the latest security updates are installed.

Despite repeated warnings, many businesses have not taken steps to combat the problem which leaves systems open to attack. Data released this week by the ShadowServer Foundation, a non-profit focusing on internet security, found that 60,865 have not yet patched against the vulnerability, which was discovered last year. Microsoft released patches for the ProxyNotShell vulnerabilities in November, but many companies have been slow to implement the security measures, despite Microsoft stating at the time that it “recommends that customers protect their organizations by applying the updates immediately to affected systems.” Hacking gangs Play, LockBit and BlackCat are among those known to have taken advantage of the vulnerability. Play uses Microsoft Exchange Server vulnerabilities as a leading technique of intrusion, according to security company Crowdstrike.

Security researchers warn of vulnerable Exchange servers. 30,000 of them are in Europe – the majority in Germany. Security patches are available. At the end of December 2022, security researchers from the Shadowserver Foundation scanned the Internet and, according to a post on Twitter, came across around 70,000 vulnerable servers. According to current dashboard data, there are now around 60,000 systems. The figures show that there are almost 30,000 servers in Europe. In Germany there are still around 10,000 vulnerable Exchange servers at the beginning of 2023. Malicious code attacks have been taking place since September 2022 . Recently, the situation worsened when attackers combined two vulnerabilities (CVE-2022-41082 ” high “, CVE-2022-41080 ” high “) in a new way .

The data of the Shadowserver Foundation, which is active in the field of cyber security, shows that in the past few days Iran has ranked third among the countries with the most known malware infections. The average level of contamination of systems during the last three months in Iran placed our country in seventh place. It seems that network filtering at the end of September and extensive efforts to bypass these limitations are one of the factors of obtaining such rank. According to experts, filtering and people’s use of free VPNs is one of the main factors in the spread of malware. Since the end of September and the filter of Instagram and WhatsApp, people’s need to use tools to bypass these restrictions has increased; an issue that seriously threatens the security of devices in people’s hands. In the meantime, the Google Play filter has also reduced the possibility of safer access to applications, and users go to unreliable sources in cyberspace to download their desired programs.

A new exploit chain using one of the ProxyNotShell vulnerabilities has bypassed Microsoft’s URL Rewrite mitigations from September and put Exchange servers at risk. Approximately 60,000 IP addresses with internet-facing Exchange Server instances are still vulnerable to ProxyNotShell flaw CVE-2022-41082, according to cybersecurity nonprofit Shadowserver Foundation. CrowdStrike published a blog post last month revealing that a new exploit chain, referred to as “OWASSRF,” bypassed Microsoft’s URL Rewrite mitigations. OWASSRF combines ProxyNotShell bug CVE-2022-41082 with elevation of privilege flaw CVE-2022-41080, and it has been used in several Play ransomware attacks in recent weeks. Shadowserver, a cybersecurity nonprofit dedicated to data collection and analysis, has been scanning for IP addresses with instances of Microsoft Exchange Server that are likely vulnerable to CVE-2022-41082. On Dec. 21, the day after CrowdStrike’s research went live, Shadowserver found 83,946 vulnerable IP addresses. As of Jan. 2, that number dropped to 60,865. Shadowserver CEO Piotr Kijewski told TechTarget Editorial that compared with other recent Exchange Server security issues, the new exploit chain has not reached similar awareness levels.

“My personal take is that there is a bit less of awareness of this current issue, and hence the patching is slower,” he said. “Previous messaging on this issue focused a lot on mitigations initially, which as it turns out now were insufficient. The latest patches from [Microsoft] on Nov. 8 were not hyped as much as they should have been.”

Kijewski added that due to the way Shadowserver’s Exchange scanner is set up, it is unlikely that many of the tracked vulnerable Exchange instances are honeypots set up by researchers.

More than 60,000 Microsoft Exchange servers exposed online are yet to be patched against the CVE-2022-41082 remote code execution (RCE) vulnerability, one of the two security flaws targeted by ProxyNotShell exploits. According to a recent tweet from security researchers at the Shadowserver Foundation, a nonprofit organization dedicated to improving internet security, almost 70,000 Microsoft Exchange servers were found to be vulnerable to ProxyNotShell attacks according to version information (the servers’ x_owa_version header). However, new data published on Monday shows that the number of vulnerable Exchange servers has decreased from 83,946 instances in mid-December to 60,865 detected on January 2nd. These two security bugs, tracked as CVE-2022-41082 and CVE-2022-41040 and collectively known as ProxyNotShell, affect Exchange Server 2013, 2016, and 2019.

There are still a number of vulnerable servers running Microsoft Exchange in the Czech Republic. According to the Shadowserver service, there are 844 servers that can be exploited through the ProxyNotShell vulnerability. The figure is valid as of the first of January this year, CESNET pointed out. Shadowserver further states that 66,000 IP addresses with the same vulnerability were found. Sixteen thousand of them are in the United States, twelve thousand in Germany.

In late September 2022, a new 0-day exploit method (ProxyNotShell) was found for on-premises Exchange Server, for which Microsoft released several URL rewrite rules at once in October 2022 as interim protection. Microsoft then released a security update in November 2022 to close the vulnerabilities. Microsoft Exchange servers that are not up to the new patch level are at risk of attackers abusing the ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082 as an entry vector to Microsoft Exchange Server. Before Christmas, I had reported about a suspected new attack vector used by the Play Ransomware group for successful attacks via the ProxyNotShell vulnerabilities. FIN7 is a Russian advanced persistent threat (APT) group that has increasingly targeted the U.S. retail, restaurant and hospitality sectors since mid-2015. And then another tweet came to my attention from Shadowserver, who are scanning the Internet for Microsoft Exchange servers vulnerable to the ProxyNotShell vulnerability CVE-2022-4108 (the report can be found here). The result of these scans is that nearly 70,000 Exchange servers worldwide were found to have arguably not received patches to close the ProxyNotShell vulnerability CVE-2022-4108. While there is some uncertainty because only certain version information was queried. Current data of vulnerable Exchange servers can be viewed in the Shadowserver dashboard.