Proxylogon

Vulnerability Profile Updated 2 months ago
Download STIX
Preview STIX
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and impersonate users, leading to significant security breaches. ProxyLogon, along with another vulnerability known as ProxyShell, were frequently exploited by threat actors to compromise nodes and systems. It is believed that these vulnerabilities were used even before their public disclosure in February 2021, but evidence for this conjecture remains unconfirmed. These vulnerabilities were exploited by various threat groups, including China-backed Advanced Persistent Threat (APT) groups, which targeted building automation systems and stole geopolitical secrets from regions including the Middle East, Africa, and Asia. The repeated use of Exchange server exploits like ProxyLogon and ProxyShell emphasized the need for organizations to harden and patch sensitive internet-facing assets. In response, federal and state regulators introduced new rules and mandates aimed at holding organizations accountable for cybersecurity. In the wake of these attacks, protective measures were taken to guard against further exploitation. Anti-Exploitation modules and Behavioral Threat Protection were implemented to protect against these vulnerabilities. Furthermore, the FBI received court approval to remove Russian Snake data theft malware, Emotet malware, and web shells on Microsoft Exchange servers deployed in ProxyLogon attacks. These efforts underscored the importance of proactive measures and the continual updating of cybersecurity protocols to mitigate the risk of such vulnerabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Proxyshell
6
ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. Identified as CVE-2021-34473, it is a flaw in software design or implementation that can be exploited by attackers to gain unauthorized access to systems. The vulnerability was actively exploited by threat actors, cau
CVE-2021-26855
5
CVE-2021-26855 is a significant software vulnerability, specifically a zero-day server-side request forgery (SSRF) flaw, found in Microsoft Exchange 2013, 2016, and 2019. This vulnerability was exploited by attackers to gain initial access to email servers and drop an ASPX webshell, leveraging the t
Proxynotshell
2
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
CVE-2021-26857
2
None
CVE-2021-26858
1
None
CVE-2021-27065
1
None
CVE-2022-41080
1
CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute
CVE-2022-41040
1
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
Tabeshell
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Apt
Microsoft
Ransomware
Exploits
Vulnerability
Fbi
Windows
Proxy
Malware
Phishing
Log4j
Eset
Kaspersky
Remote Code ...
RCE (Remote ...
Espionage
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TomirisUnspecified
2
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
EmotetUnspecified
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
WannaCryUnspecified
1
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TickUnspecified
2
Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware fami
Earth EstriesUnspecified
1
Earth Estries is a cyberespionage group, or threat actor, that has targeted government entities and tech firms across the globe, including in the US, Germany, South Africa, Asia, Malaysia, the Philippines, and Taiwan. While the exact origin of Earth Estries remains unclear, there are indications sug
SnakeUnspecified
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
APT27Unspecified
1
APT27, also known as Iron Taurus, is a Chinese threat actor group that primarily engages in cyber operations with the goal of intellectual property theft. The group targets multiple organizations worldwide, including those in North and South America, Europe, and the Middle East. APT27 utilizes vario
ToddycatUnspecified
1
ToddyCat is a sophisticated Advanced Persistent Threat (APT) actor, likely Chinese-speaking, that has been active since at least December 2020. It primarily operates in Asia, targeting government entities in Malaysia, Thailand, and Pakistan. In 2022, Kaspersky reported finding ToddyCat actors using
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-34473Unspecified
2
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
ZerologonUnspecified
2
Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, impacting all versions of Windows Server OS from 2008 onwards. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and change computer passwords wi
CVE-2021-34523Unspecified
1
None
Proxyshell CveUnspecified
1
None
Proxylogon CveUnspecified
1
None
Log4ShellUnspecified
1
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
CVE-2021-40444Unspecified
1
None
CVE-2021-34527Unspecified
1
CVE-2021-34527, also known as PrintNightmare, is a software vulnerability that involves a flaw in software design or implementation. The exploitation process begins when a user clicks on a link which downloads a ZIP archive containing a malicious JScript (JS) downloader titled 'Stolen Images Evidenc
Proxynotshell Cve-2022-41040Unspecified
1
None
PrintnightmareUnspecified
1
PrintNightmare (CVE-2021-34527) is a significant vulnerability in the Windows Print Spooler service that allows an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw, potentially a new zero-day Microsoft vulnerability, en
CVE-2022-24847Unspecified
1
None
Proxylogon (Cve-2021-26855Unspecified
1
None
Source Document References
Information about the Proxylogon Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
2 months ago
CISO Corner: Federal Cyber Deadlines Loom; Private Chatbot Danger
BankInfoSecurity
2 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
2 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
DARKReading
2 months ago
China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
DARKReading
3 months ago
ToddyCat APT Is Stealing Data on 'Industrial Scale'
Unit42
5 months ago
Intruders in the Library: Exploring DLL Hijacking
Unit42
5 months ago
Diving Into Glupteba's UEFI Bootkit
CERT-EU
6 months ago
Preventing Data Loss: Backup and Recovery Strategies for Exchange Server Administrators
CERT-EU
7 months ago
Cybercriminals continue targeting open remote access products - Help Net Security
CERT-EU
7 months ago
GitHub - kh4sh3i/ProxyShell: CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
CERT-EU
7 months ago
Cybercriminals continue targeting open remote access products | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
7 months ago
WatchGuard Threat Lab: rise in threat actors exploiting remote access software
CERT-EU
8 months ago
WatchGuard Threat Lab Report shows rise in threat actors exploiting remote access software
CERT-EU
8 months ago
Rackspace Ransomware Costs Soar to Nearly $12M | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Support ausgelaufen: Mehr als 20.000 Exchange Server potenziell angreifbar
CERT-EU
8 months ago
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
Securelist
8 months ago
Kaspersky malware report for Q3 2023
SecurityIntelligence.com
8 months ago
X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021
CERT-EU
8 months ago
Are DarkGate and PikaBot the new QakBot?
DARKReading
8 months ago
Rackspace Ransomware Costs Soar to Nearly $12M