Proxylogon

Vulnerability updated a day ago (2024-09-07T01:17:43.578Z)

Download STIX

Preview STIX

ProxyLogon is a significant software vulnerability, specifically a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. Identified as CVE-2021-26855, it forms part of the ProxyLogon exploit chain and allows attackers to bypass authentication mechanisms and impersonate users. This flaw, along with another known as ProxyShell (CVE-2021-34473), has been widely exploited by threat actors, including Advanced Persistent Threat (APT) groups reportedly backed by China. These vulnerabilities have been used to compromise nodes and steal geopolitical secrets from various regions, including the Middle East, Africa, and Asia. These vulnerabilities were made public in February 2021, following which there was a notable increase in attacks exploiting them. In some instances, these flaws were used to deploy web shells on compromised Microsoft Exchange servers. The FBI intervened in several cases, receiving court approval to remove Russian Snake data theft malware, Emotet malware, and web shells from infected devices, without notifying the owners. It's conjectured that some threat actors might have been targeting the ProxyLogon vulnerabilities even before their public disclosure, although evidence for this remains inconclusive. To mitigate the risks associated with ProxyLogon and ProxyShell, organizations are advised to use Anti-Exploitation modules and Behavioral Threat Protection. Such measures can help protect against exploitation of these and other vulnerabilities. Cortex XSIAM is one such tool providing anti-exploit protection. Furthermore, organizations are encouraged to harden and patch sensitive internet-facing assets regularly, given the threat actor’s repeated use of Exchange server exploits for initial access.

Description last updated: 2024-09-07T00:23:09.629Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Proxyshell	6	ProxyShell is a series of vulnerabilities affecting Microsoft Exchange email servers. These flaws in software design or implementation have been exploited by threat actors to gain unauthorized access and control over targeted systems. The ProxyShell vulnerability, officially tracked as CVE-2021-3447
CVE-2021-26855	5	CVE-2021-26855 is a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange servers, particularly versions 2013, 2016, and 2019. This flaw in software design or implementation was exploited by attackers to gain initial access to the email servers and drop an ASPX webshell on
CVE-2021-26857	2	None
Proxynotshell	2	ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Apt

Microsoft

Ransomware

Vulnerability

Exploits

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Tomiris	Unspecified	2	Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Tick	Unspecified	2	Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware fami

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
Zerologon	Unspecified	2	Zerologon, also known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol that affects all versions of Windows Server OS from 2008 onwards. The flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Ac
CVE-2021-34473	Unspecified	2	CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to

Source Document References

Information about the Proxylogon Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	a day ago	Chinese APT Abuses VSCode to Target Government in Asia
DARKReading	3 months ago	CISO Corner: Federal Cyber Deadlines Loom; Private Chatbot Danger
BankInfoSecurity	3 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	3 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
DARKReading	3 months ago	China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
DARKReading	5 months ago	ToddyCat APT Is Stealing Data on 'Industrial Scale'
Unit42	6 months ago	Intruders in the Library: Exploring DLL Hijacking
Unit42	7 months ago	Diving Into Glupteba's UEFI Bootkit
CERT-EU	8 months ago	Preventing Data Loss: Backup and Recovery Strategies for Exchange Server Administrators
CERT-EU	9 months ago	Cybercriminals continue targeting open remote access products - Help Net Security
CERT-EU	9 months ago	GitHub - kh4sh3i/ProxyShell: CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
CERT-EU	9 months ago	Cybercriminals continue targeting open remote access products \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	WatchGuard Threat Lab: rise in threat actors exploiting remote access software
CERT-EU	9 months ago	WatchGuard Threat Lab Report shows rise in threat actors exploiting remote access software
CERT-EU	9 months ago	Rackspace Ransomware Costs Soar to Nearly $12M \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	Support ausgelaufen: Mehr als 20.000 Exchange Server potenziell angreifbar
CERT-EU	9 months ago	Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
Securelist	9 months ago	Kaspersky malware report for Q3 2023
SecurityIntelligence.com	10 months ago	X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021
CERT-EU	10 months ago	Are DarkGate and PikaBot the new QakBot?