Proxyshell

Vulnerability updated 19 days ago (2024-11-29T14:45:26.363Z)
Download STIX
Preview STIX
ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT actors have been observed exploiting known vulnerabilities, including ProxyShell (CVE-2021-34473), to gain initial access to various targeted entities. The exploitation of these vulnerabilities has been reported in Australia and other parts of the world, with threat groups such as BlackByte pivoting from their usual practice to leverage the ProxyShell flaw. The ProxyShell vulnerability is part of an exploit chain that includes CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. It is linked with another set of vulnerabilities known as ProxyLogon, which include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Both sets of vulnerabilities have been actively exploited by different advanced persistent threat (APT) groups, who have targeted public-facing applications of both Windows and ESXi infrastructure, possibly leveraging the ProxyShell exploit chain for initial access. In response to this threat, cybersecurity agencies have issued urgent alerts advising organizations to protect against the active exploitation of ProxyShell vulnerabilities. Anti-exploit protection measures, such as those provided through Cortex XSIAM, are recommended to mitigate the risk. These measures include the use of Anti-Exploitation modules and Behavioral Threat Protection, which provide defense against credential-based attacks and other forms of malicious activities. Organizations are urged to stay vigilant and ensure they adopt these protective measures to safeguard their systems from potential attacks.
Description last updated: 2024-11-21T16:05:51.414Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CVE-2021-34473 is a possible alias for Proxyshell. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
8
Proxylogon is a possible alias for Proxyshell. ProxyLogon is a serious software vulnerability, specifically an exploit chain in Microsoft Exchange Server. The chain includes CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allows attackers to bypass authentication and impersonate users, along with other vulnerabilities suc
7
CVE-2021-31207 is a possible alias for Proxyshell. CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a
6
Proxynotshell is a possible alias for Proxyshell. ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Exploits
Microsoft
Windows
Ransomware
Confluence
Malware
Log4j
Remote Code ...
Esxi
RCE (Remote ...
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Babuk Malware is associated with Proxyshell. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatioUnspecified
2
The Tortilla Malware is associated with Proxyshell. Tortilla is a variant of the Babuk ransomware, a malicious software that encrypts victims' files and demands a ransom for their release. This malware, like others of its kind, can infiltrate systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can diUnspecified
2
The Conti Malware is associated with Proxyshell. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personahas used
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blackbyte Threat Actor is associated with Proxyshell. BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. ThisUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2021-34523 is associated with Proxyshell. Unspecified
6
The Log4Shell Vulnerability is associated with Proxyshell. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorizedUnspecified
5
The CVE-2022-41040 Vulnerability is associated with Proxyshell. CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanismUnspecified
3
The CVE-2021-26855 Vulnerability is associated with Proxyshell. CVE-2021-26855 is a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange servers, particularly versions 2013, 2016, and 2019. This flaw in software design or implementation was exploited by attackers to gain initial access to the email servers and drop an ASPX webshell on Unspecified
3
The Follina Vulnerability is associated with Proxyshell. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,Unspecified
3
The CVE-2022-30190 Vulnerability is associated with Proxyshell. CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized itUnspecified
3
The CVE-2018-13379 Vulnerability is associated with Proxyshell. CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20Unspecified
2
The CVE-2021-26084 Vulnerability is associated with Proxyshell. CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection attaUnspecified
2
The CVE-2022-26134 Vulnerability is associated with Proxyshell. CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized thUnspecified
2
The CVE-2022-41080 Vulnerability is associated with Proxyshell. CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute Unspecified
2
The CVE-2021-44228 Vulnerability is associated with Proxyshell. CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attemptedUnspecified
2
The CVE-2022-41082 Vulnerability is associated with Proxyshell. CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attackUnspecified
2
The Zerologon Vulnerability is associated with Proxyshell. Zerologon (CVE-2020-1472) is a critical vulnerability within Microsoft's Netlogon Remote Protocol that emerged in 2020. It involves a privilege escalation condition that allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, bypassing authentication mUnspecified
2
Source Document References
Information about the Proxyshell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
a month ago
Unit42
2 months ago
InfoSecurity-magazine
3 months ago
Unit42
3 months ago
Unit42
3 months ago
DARKReading
4 months ago
Unit42
5 months ago
BankInfoSecurity
7 months ago
Unit42
7 months ago
DARKReading
7 months ago
Securityaffairs
7 months ago
CERT-EU
9 months ago
Unit42
10 months ago
Unit42
10 months ago
Unit42
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago