Proxyshell

Vulnerability Profile Updated 14 hours ago
Download STIX
Preview STIX
ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. Identified as CVE-2021-34473, it is a flaw in software design or implementation that can be exploited by attackers to gain unauthorized access to systems. The vulnerability was actively exploited by threat actors, causing significant concern among cybersecurity agencies and professionals worldwide. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert in August 2021, urging organizations to protect against active exploitation of ProxyShell vulnerabilities. The ProxyShell vulnerability was not the only one targeted by cybercriminals. A joint CSA report observed Iranian government-sponsored Advanced Persistent Threat (APT) actors scanning for and exploiting known Fortinet FortiOS and Microsoft Exchange server vulnerabilities, including ProxyShell, since early 2021. These threat actors were particularly interested in ProxyLogon (CVE-2021-26855) and ProxyShell vulnerabilities, repeatedly targeting these known weaknesses. The APT group's repeated use of Exchange server exploits for initial access underscores the importance for organizations to harden and patch sensitive internet-facing assets. To mitigate the risk posed by these vulnerabilities, organizations are advised to implement Anti-Exploit protection measures, such as those delivered through Cortex XSIAM. This solution offers protection against exploitation of various vulnerabilities, including ProxyShell and ProxyLogon. Moreover, the adoption of Behavioral Threat Protection modules can also enhance security by identifying and blocking anomalous behavior patterns often associated with cyberattacks. Despite these protective measures, Microsoft has faced criticism for perceived lax cybersecurity operations, which have led to high-profile cyberattacks exploiting vulnerabilities like ProxyShell and others.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CVE-2021-34473
7
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
Proxylogon
6
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
CVE-2021-31207
5
CVE-2021-31207 is a significant software vulnerability that affects Atlassian Confluence and Microsoft Exchange. It was discovered that Advanced Persistent Threat group APT40 rapidly exploits this flaw, along with other public vulnerabilities in widely used software like Log4J (CVE-2021-44228) and M
Proxynotshell
3
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Exploits
Microsoft
Confluence
Ransomware
Apt
RCE (Remote ...
Windows
Malware
Remote Code ...
Log4j
Manageengine
Spearphishing
Chromium
Proxy
CISA
Talos
Zero Day
Webkit
Sophos
Apache
MGM
Implant
Web Shell
Vpn
Fortios
Tenable
Moveit
Encryption
Esxi
Ios
Firefox
Android
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BabukUnspecified
2
Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
TortillaUnspecified
2
Tortilla is a variant of the Babuk ransomware, a type of malware that has been causing significant disruptions in the digital world. As a malicious software, Tortilla is designed to infiltrate computer systems without the user's knowledge, typically through suspicious downloads, emails, or websites.
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
BellaciaoUnspecified
1
"BellaCiao" is a .NET-based malware linked to the Iran-sponsored group known as Charming Kitten (also referred to as Newsbeef and APT35). First observed in use since at least November 2022, this malicious script dropper has targeted systems in Afghanistan, Austria, Israel, and Turkey. Likely exploit
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
1
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
BlackbyteUnspecified
1
BlackByte, a threat actor known for its malicious activities, has been on the radar of cybersecurity agencies since its emergence in July 2021. Notorious for targeting critical infrastructure, BlackByte attracted the attention of the Federal Bureau of Investigation (FBI) and the US Secret Service (U
PhosphorusUnspecified
1
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
5
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
CVE-2021-34523Unspecified
5
None
CVE-2022-41040Unspecified
3
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
CVE-2022-30190Unspecified
3
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
FollinaUnspecified
3
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
CVE-2021-26855Unspecified
2
CVE-2021-26855 is a significant software vulnerability, specifically a zero-day server-side request forgery (SSRF) flaw, found in Microsoft Exchange 2013, 2016, and 2019. This vulnerability was exploited by attackers to gain initial access to email servers and drop an ASPX webshell, leveraging the t
CVE-2018-13379Unspecified
2
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
CVE-2021-26084Unspecified
2
CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta
CVE-2022-41082Unspecified
2
CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
CVE-2022-26134Unspecified
2
CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th
CVE-2022-41080Unspecified
2
CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute
CVE-2021-44228Unspecified
2
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
ZerologonUnspecified
2
Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, impacting all versions of Windows Server OS from 2008 onwards. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and change computer passwords wi
CVE-2021-30551Unspecified
1
None
CVE-2023-21529Unspecified
1
None
CVE-2022-41128Unspecified
1
None
CVE-2022-42856Unspecified
1
CVE-2022-42856 is a critical zero-day vulnerability discovered in Apple's WebKit, the company's web rendering engine. This flaw, characterized as an iOS remote code execution vulnerability, posed a significant risk to users due to its potential exploitation in the wild, enabling unauthorized parties
CVE-2021-1732Unspecified
1
CVE-2021-1732 is a software vulnerability, specifically a flaw in the design or implementation of Microsoft's Windows 10 systems. This vulnerability exposes the system to an elevation of privilege threat, where an attacker could potentially gain higher-level permissions on the system and carry out m
CVE-2021-30983Unspecified
1
None
CVE-2021-39793Unspecified
1
None
CVE-2021-28664Unspecified
1
None
CVE-2022-1040Unspecified
1
None
CVE-2022-1096Unspecified
1
None
CVE-2022-26925Unspecified
1
None
CVE-2021-40444Unspecified
1
None
CVE-2021-38000Unspecified
1
None
CVE-2021-34480Unspecified
1
None
CVE-2022-41073Unspecified
1
None
CVE-2022-37987Unspecified
1
None
Proxylogon CveUnspecified
1
None
Proxyshell CveUnspecified
1
None
CVE-2016-0099Unspecified
1
None
CVE-2019-11043Unspecified
1
None
CVE-2012-1823Unspecified
1
None
CVE-2017-12617Unspecified
1
None
TabeshellUnspecified
1
None
OwassrfUnspecified
1
OWASSRF is a software vulnerability that presents a significant security risk to Microsoft Exchange Server systems. It's an exploit method that bypasses ProxyNotShell vulnerability mitigations, allowing for remote code execution on vulnerable servers through Outlook Web Access. This vulnerability ha
Proxynotshell Cve-2022-41040Unspecified
1
None
CVE-2021-34423Unspecified
1
None
CVE-2022-22960Unspecified
1
None
CVE-2021-40539Unspecified
1
None
CVE-2022-22954Unspecified
1
CVE-2022-22954 is a significant software vulnerability that affects VMware's Workspace One Access and Identity Manager. This flaw in the software design or implementation allows for remote code execution, providing an attacker with the ability to execute arbitrary commands on the affected system. Ov
CVE-2022-1388Unspecified
1
CVE-2022-1388 is a critical vulnerability identified in the F5 BIG-IP iControl REST interface, which allows for an authentication bypass. This flaw in software design or implementation enables unauthorized users to gain access and control over the system without needing to authenticate their identit
CVE-2020-12812Unspecified
1
None
CVE-2019-5591Unspecified
1
None
CVE-2022-22706Unspecified
1
None
CVE-2020-12271Unspecified
1
None
CVE-2022-1364Unspecified
1
None
CVE-2021-21195Unspecified
1
None
CVE-2021-36942Unspecified
1
None
CVE-2022-2856Unspecified
1
None
CVE-2022-21882Unspecified
1
None
CVE-2022-22587Unspecified
1
None
CVE-2022-22620Unspecified
1
None
CVE-2022-26485Unspecified
1
None
Source Document References
Information about the Proxyshell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
15 hours ago
From RA Group to RA World: Evolution of a Ransomware Group
BankInfoSecurity
2 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
2 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
DARKReading
2 months ago
China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
Securityaffairs
2 months ago
A malware campaign exploits Microsoft Exchange Server flaws
CERT-EU
4 months ago
Microsoft is Under Attack by Russian Hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Unit42
5 months ago
Intruders in the Library: Exploring DLL Hijacking
Unit42
5 months ago
Diving Into Glupteba's UEFI Bootkit
Unit42
6 months ago
Threat Assessment: BianLian
CERT-EU
6 months ago
Ransomware victims targeted in follow-on extortion attacks
CERT-EU
6 months ago
Free Decryptor Released for Black Basta and Babuk's Tortilla Ransomware Victims | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
ProxyShell-targeting Babuk Tortilla ransomware decrypted after hacker’s arrest | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
Amsterdam arrest leads to Babuk Tortilla ransomware decryptor | #ransomware | #cybercrime | National Cyber Security Consulting
InfoSecurity-magazine
6 months ago
New Decryption Key Available for Babuk Tortilla Ransomware Victims
CERT-EU
6 months ago
And that's a wrap for Babuk Tortilla ransomware as free decryptor released • The Register | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
New decryptor for Babuk Tortilla ransomware variant released
CERT-EU
7 months ago
Cybersecurity threatscape for Latin America and the Caribbean: 2022–2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
MITRE
7 months ago
RaaS AvosLocker Incident Response Analysis
CERT-EU
7 months ago
GitHub - kh4sh3i/ProxyShell: CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
Securelist
8 months ago
Kaspersky malware report for Q3 2023