Is an Exchange ProxyNotShell disaster looming at the corner?
In late September 2022, a new 0-day exploit method (ProxyNotShell) was found for on-premises Exchange Server, for which Microsoft released several URL rewrite rules at once in October 2022 as interim protection. Microsoft then released a security update in November 2022 to close the vulnerabilities. Microsoft Exchange servers that are not up to the new patch level are at risk of attackers abusing the ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082 as an entry vector to Microsoft Exchange Server. Before Christmas, I had reported about a suspected new attack vector used by the Play Ransomware group for successful attacks via the ProxyNotShell vulnerabilities. FIN7 is a Russian advanced persistent threat (APT) group that has increasingly targeted the U.S. retail, restaurant and hospitality sectors since mid-2015. And then another tweet came to my attention from Shadowserver, who are scanning the Internet for Microsoft Exchange servers vulnerable to the ProxyNotShell vulnerability CVE-2022-4108 (the report can be found here). The result of these scans is that nearly 70,000 Exchange servers worldwide were found to have arguably not received patches to close the ProxyNotShell vulnerability CVE-2022-4108. While there is some uncertainty because only certain version information was queried. Current data of vulnerable Exchange servers can be viewed in the Shadowserver dashboard.