Proxylogon

Vulnerability updated a month ago (2024-10-24T09:01:07.367Z)

Download STIX

Preview STIX

ProxyLogon is a significant software vulnerability that was discovered in Microsoft Exchange Server. It is part of an exploit chain, including CVE-2021-26855, which is a server-side request forgery (SSRF) vulnerability. This flaw allows attackers to bypass authentication mechanisms and impersonate users. ProxyLogon was likely used to compromise nodes, along with other vulnerabilities such as ProxyShell. It also includes arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858 on Windows systems, both of which have high CVSS ratings of 7.8. The exploitation of these vulnerabilities has led to widespread cyberattacks, targeting hotels, governments, and private companies worldwide since March 2021. The FBI has taken action against these threats by receiving court approval to remove the Russian Snake data theft malware, the Emotet malware, and web shells on Microsoft Exchange servers deployed in ProxyLogon attacks. These exploits were often used by state-sponsored actors, including China-backed APT groups, for stealing geopolitical secrets from various regions, including the Middle East, Africa, and Asia. To protect against the exploitation of these vulnerabilities, Anti-Exploitation modules and Behavioral Threat Protection have been recommended. These protections, delivered through Cortex XSIAM, defend against credential-based attacks using behavioral analytics. They offer protection against various vulnerabilities, including those associated with ProxyShell and ProxyLogon. Furthermore, the implementation of these protective measures is crucial in preparing organizations for upcoming cybersecurity deadlines set by federal and state regulators.

Description last updated: 2024-10-24T08:02:14.691Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Proxyshell is a possible alias for Proxylogon. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	7
CVE-2021-26855 is a possible alias for Proxylogon. CVE-2021-26855 is a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange servers, particularly versions 2013, 2016, and 2019. This flaw in software design or implementation was exploited by attackers to gain initial access to the email servers and drop an ASPX webshell on	6
CVE-2021-26858 is a possible alias for Proxylogon.	3
CVE-2021-27065 is a possible alias for Proxylogon.	3
CVE-2021-26857 is a possible alias for Proxylogon.	3
Proxynotshell is a possible alias for Proxylogon. ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Apt

Microsoft

Ransomware

Exploits

Windows

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Tomiris Malware is associated with Proxylogon. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a Tunnu	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Tick Threat Actor is associated with Proxylogon. Tick, also known as BRONZE BUTLER, is a threat actor believed to originate from the People's Republic of China. This group has been linked to cyber-espionage activities and is known for deploying a variety of tools and malware families in their operations. Secureworks® incident responders and Counte	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2021-34473 Vulnerability is associated with Proxylogon. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to	Unspecified	3
The Zerologon Vulnerability is associated with Proxylogon. Zerologon, officially known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol. This flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, enabling them to escalate privileges to do	Unspecified	2
The vulnerability CVE-2021-34523 is associated with Proxylogon.	Unspecified	2

Source Document References

Information about the Proxylogon Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a month ago	'Prometei' Botnet Spreads its Cryptojacker Worldwide
Unit42	a month ago	Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
BankInfoSecurity	a month ago	Feds Probe Chinese 'Salt Typhoon' Hack of Major Telcos
InfoSecurity-magazine	2 months ago	14 Million Patients Impacted by US Healthcare Data Breaches in 2024
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
Unit42	2 months ago	Chinese APT Abuses VSCode to Target Government in Asia
DARKReading	6 months ago	CISO Corner: Federal Cyber Deadlines Loom; Private Chatbot Danger
BankInfoSecurity	6 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	6 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
DARKReading	6 months ago	China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
DARKReading	7 months ago	ToddyCat APT Is Stealing Data on 'Industrial Scale'
Unit42	9 months ago	Intruders in the Library: Exploring DLL Hijacking
Unit42	9 months ago	Diving Into Glupteba's UEFI Bootkit
CERT-EU	10 months ago	Preventing Data Loss: Backup and Recovery Strategies for Exchange Server Administrators
CERT-EU	a year ago	Cybercriminals continue targeting open remote access products - Help Net Security
CERT-EU	a year ago	GitHub - kh4sh3i/ProxyShell: CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
CERT-EU	a year ago	Cybercriminals continue targeting open remote access products \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	WatchGuard Threat Lab: rise in threat actors exploiting remote access software
CERT-EU	a year ago	WatchGuard Threat Lab Report shows rise in threat actors exploiting remote access software
CERT-EU	a year ago	Rackspace Ransomware Costs Soar to Nearly $12M \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting