Proxyshell

Vulnerability updated a day ago (2024-09-07T01:17:47.166Z)
Download STIX
Preview STIX
ProxyShell is a series of vulnerabilities affecting Microsoft Exchange email servers. These flaws in software design or implementation have been exploited by threat actors to gain unauthorized access and control over targeted systems. The ProxyShell vulnerability, officially tracked as CVE-2021-34473, was actively exploited by attackers, causing cybersecurity agencies worldwide to issue urgent alerts for organizations to protect against this exploitation. Notably, the Australian Cyber Security Centre warned about ProxyShell targeting within Australia, emphasizing the global reach of this threat. The ProxyShell vulnerability was not the only one leveraged by cybercriminals; other known vulnerabilities such as ProxyLogon (CVE-2021-26855) were also exploited. According to a joint Cybersecurity Advisory (CSA), Iranian government-sponsored Advanced Persistent Threat (APT) actors had been scanning for and exploiting these vulnerabilities since early 2021. Other threat groups, like BlackByte, pivoted from their usual practice of exploiting public-facing vulnerabilities to using ProxyShell to gain an initial foothold. Additionally, the APT group ToddyCat was found repeatedly targeting these vulnerabilities, particularly those in Microsoft Exchange servers. In response to these threats, it has been recommended that organizations protect against the exploitation of these vulnerabilities using Anti-Exploitation modules and Behavioral Threat Protection. Cortex XSIAM, for instance, provides protection against the exploitation of different vulnerabilities including ProxyShell and ProxyLogon. However, the repeated use of these exploits emphasizes the importance of hardening and patching sensitive internet-facing assets. Microsoft, in particular, has faced criticism for perceived lax cybersecurity operations, leading to high-profile cyberattacks such as the compromise of the Microsoft 365 cloud environment and a series of PrintNightmare vulnerabilities.
Description last updated: 2024-09-07T00:23:06.166Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CVE-2021-34473
7
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
Proxylogon
6
ProxyLogon is a significant software vulnerability, specifically a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. Identified as CVE-2021-26855, it forms part of the ProxyLogon exploit chain and allows attackers to bypass authentication mechanisms and impersonate users
CVE-2021-31207
5
CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a
Proxynotshell
3
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Exploits
Microsoft
Ransomware
Confluence
Windows
Malware
Log4j
Remote Code ...
RCE (Remote ...
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
TortillaUnspecified
2
Tortilla is a variant of the Babuk ransomware, a malicious software that encrypts victims' files and demands a ransom for their release. This malware, like others of its kind, can infiltrate systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can di
Contihas used
2
Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
BabukUnspecified
2
Babuk is a type of malware, specifically ransomware, that infiltrates systems to encrypt files and hold them for ransom. This malicious software can infect your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations by enc
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
BlackbyteUnspecified
2
BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. This
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2021-34523Unspecified
5
None
Log4ShellUnspecified
5
Log4Shell is a significant software vulnerability that exists within the Log4j Java-based logging utility. The vulnerability, officially designated as CVE-2021-44228, allows potential attackers to execute arbitrary code on targeted systems. Advanced Persistent Threat (APT) actors, including LockBit
FollinaUnspecified
3
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
CVE-2022-30190Unspecified
3
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
CVE-2022-41040Unspecified
3
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
CVE-2018-13379Unspecified
2
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
CVE-2021-26084Unspecified
2
CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta
CVE-2022-26134Unspecified
2
CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th
CVE-2022-41080Unspecified
2
CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute
CVE-2021-44228Unspecified
2
CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted
CVE-2022-41082Unspecified
2
CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
ZerologonUnspecified
2
Zerologon, also known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol that affects all versions of Windows Server OS from 2008 onwards. The flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Ac
CVE-2021-26855Unspecified
2
CVE-2021-26855 is a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange servers, particularly versions 2013, 2016, and 2019. This flaw in software design or implementation was exploited by attackers to gain initial access to the email servers and drop an ASPX webshell on
Source Document References
Information about the Proxyshell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
a day ago
Chinese APT Abuses VSCode to Target Government in Asia
DARKReading
10 days ago
BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
Unit42
2 months ago
From RA Group to RA World: Evolution of a Ransomware Group
BankInfoSecurity
3 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
3 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
DARKReading
3 months ago
China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
Securityaffairs
4 months ago
A malware campaign exploits Microsoft Exchange Server flaws
CERT-EU
6 months ago
Microsoft is Under Attack by Russian Hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Unit42
6 months ago
Intruders in the Library: Exploring DLL Hijacking
Unit42
7 months ago
Diving Into Glupteba's UEFI Bootkit
Unit42
7 months ago
Threat Assessment: BianLian
CERT-EU
8 months ago
Ransomware victims targeted in follow-on extortion attacks
CERT-EU
8 months ago
Free Decryptor Released for Black Basta and Babuk's Tortilla Ransomware Victims | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
ProxyShell-targeting Babuk Tortilla ransomware decrypted after hacker’s arrest | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
Amsterdam arrest leads to Babuk Tortilla ransomware decryptor | #ransomware | #cybercrime | National Cyber Security Consulting
InfoSecurity-magazine
8 months ago
New Decryption Key Available for Babuk Tortilla Ransomware Victims
CERT-EU
8 months ago
And that's a wrap for Babuk Tortilla ransomware as free decryptor released • The Register | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
New decryptor for Babuk Tortilla ransomware variant released
CERT-EU
9 months ago
Cybersecurity threatscape for Latin America and the Caribbean: 2022–2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
MITRE
9 months ago
RaaS AvosLocker Incident Response Analysis