Proxylogon

Vulnerability updated 2 months ago (2024-11-29T13:33:51.038Z)

Download STIX

Preview STIX

ProxyLogon is a serious software vulnerability, specifically an exploit chain in Microsoft Exchange Server. The chain includes CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allows attackers to bypass authentication and impersonate users, along with other vulnerabilities such as CVE-2021-27065 and CVE-2021-26858. These flaws have been exploited by various threat actors, including Advanced Persistent Threat (APT) groups, to compromise nodes and deploy web shells on Microsoft Exchange servers. ProxyLogon was seen being actively exploited starting in March 2021, targeting various entities worldwide, including hotels, governments, and private companies. The FBI has taken significant action against the exploitation of these vulnerabilities. After receiving court approval, the Bureau removed Russian Snake data theft malware and Emotet malware from infected devices, as well as web shells on Microsoft Exchange servers deployed in ProxyLogon attacks. However, despite these efforts, threat actors continue to target known vulnerabilities. For instance, the APT group was observed repeatedly exploiting the Microsoft Exchange server vulnerabilities known as ProxyLogon and ProxyShell. To protect against exploitation of vulnerabilities like ProxyLogon and ProxyShell, organizations are advised to utilize Anti-Exploitation modules and Behavioral Threat Protection. These protective measures can safeguard against credential-based attacks and provide behavioral analytics through platforms like Cortex XDR Pro. It's crucial for organizations to stay updated on these threats and implement robust cybersecurity strategies to mitigate potential damage.

Description last updated: 2024-11-28T11:53:15.084Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Proxyshell is a possible alias for Proxylogon. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	7
CVE-2021-26855 is a possible alias for Proxylogon. CVE-2021-26855 is a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange servers, particularly versions 2013, 2016, and 2019. This flaw in software design or implementation was exploited by attackers to gain initial access to the email servers and drop an ASPX webshell on	6
CVE-2021-26858 is a possible alias for Proxylogon.	3
CVE-2021-27065 is a possible alias for Proxylogon.	3
CVE-2021-26857 is a possible alias for Proxylogon.	3
Proxynotshell is a possible alias for Proxylogon. ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Apt

Microsoft

Ransomware

Exploits

Windows

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Tomiris Malware is associated with Proxylogon. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a Tunnu	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Tick Threat Actor is associated with Proxylogon. Tick, also known as BRONZE BUTLER, is a threat actor believed to originate from the People's Republic of China. This group has been linked to cyber-espionage activities and is known for deploying a variety of tools and malware families in their operations. Secureworks® incident responders and Counte	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2021-34473 Vulnerability is associated with Proxylogon. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to	Unspecified	3
The Zerologon Vulnerability is associated with Proxylogon. Zerologon (CVE-2020-1472) is a critical vulnerability within Microsoft's Netlogon Remote Protocol that emerged in 2020. It involves a privilege escalation condition that allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, bypassing authentication m	Unspecified	2
The vulnerability CVE-2021-34523 is associated with Proxylogon.	Unspecified	2

Source Document References

Information about the Proxylogon Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	Salt Typhoon Builds Out Malware Arsenal With GhostSpider
DARKReading	3 months ago	'Prometei' Botnet Spreads its Cryptojacker Worldwide
Unit42	4 months ago	Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
BankInfoSecurity	4 months ago	Feds Probe Chinese 'Salt Typhoon' Hack of Major Telcos
InfoSecurity-magazine	4 months ago	14 Million Patients Impacted by US Healthcare Data Breaches in 2024
Unit42	5 months ago	Threat Assessment: North Korean Threat Groups
Unit42	5 months ago	Chinese APT Abuses VSCode to Target Government in Asia
DARKReading	8 months ago	CISO Corner: Federal Cyber Deadlines Loom; Private Chatbot Danger
BankInfoSecurity	8 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	8 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
DARKReading	8 months ago	China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
DARKReading	9 months ago	ToddyCat APT Is Stealing Data on 'Industrial Scale'
Unit42	a year ago	Intruders in the Library: Exploring DLL Hijacking
Unit42	a year ago	Diving Into Glupteba's UEFI Bootkit
CERT-EU	a year ago	Preventing Data Loss: Backup and Recovery Strategies for Exchange Server Administrators
CERT-EU	a year ago	Cybercriminals continue targeting open remote access products - Help Net Security
CERT-EU	a year ago	GitHub - kh4sh3i/ProxyShell: CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
CERT-EU	a year ago	Cybercriminals continue targeting open remote access products \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	WatchGuard Threat Lab: rise in threat actors exploiting remote access software
CERT-EU	a year ago	WatchGuard Threat Lab Report shows rise in threat actors exploiting remote access software