Proxyshell

Vulnerability updated 18 days ago (2024-10-09T13:00:58.232Z)

Download STIX

Preview STIX

ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. It is a software design and implementation flaw that allows attackers to gain unauthorized access to the affected systems. The exploit chain for ProxyShell includes CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. This vulnerability has been actively exploited by cybercriminals worldwide, with notable instances of targeting in Australia. The exploitation of this vulnerability became particularly urgent when it was reported that Iranian government-sponsored Advanced Persistent Threat (APT) actors were scanning for and exploiting this, along with other known vulnerabilities such as Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021. The APT groups have not only targeted ProxyShell but also other known vulnerabilities like ProxyLogon, tracked as CVE-2021-26855, and CVE-2021-26857, CVE-2021-26858, CVE-2021-27065. These attacks underline the importance of hardening and patching sensitive internet-facing assets. In response to these threats, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging organizations to protect against active exploitation of ProxyShell vulnerabilities. Furthermore, threat group BlackByte's use of the ProxyShell vulnerability represents a shift from their usual practice of scanning for and exploiting public-facing vulnerabilities to gain an initial foothold. To counter these threats, security measures such as Anti-Exploitation modules and Behavioral Threat Protection have been recommended. These protective measures can guard against the exploitation of different vulnerabilities including ProxyShell and ProxyLogon. They function by using behavioral analytics to defend against credential-based attacks. Cortex XDR Pro, delivered through Cortex XSIAM, offers Anti-Exploit protection that provides robust defense against the exploitation of various vulnerabilities including ProxyShell and ProxyLogon.

Description last updated: 2024-10-09T12:16:34.973Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
CVE-2021-34473 is a possible alias for Proxyshell. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to	8
Proxylogon is a possible alias for Proxyshell. ProxyLogon is a significant software vulnerability that was discovered in Microsoft Exchange Server. It is part of an exploit chain, including CVE-2021-26855, which is a server-side request forgery (SSRF) vulnerability. This flaw allows attackers to bypass authentication mechanisms and impersonate u	7
CVE-2021-31207 is a possible alias for Proxyshell. CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a	6
Proxynotshell is a possible alias for Proxyshell. ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Vulnerability

Exploits

Microsoft

Ransomware

Confluence

Windows

Malware

Log4j

Remote Code ...

RCE (Remote ...

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Babuk Malware is associated with Proxyshell. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatio	Unspecified	2
The Tortilla Malware is associated with Proxyshell. Tortilla is a variant of the Babuk ransomware, a malicious software that encrypts victims' files and demands a ransom for their release. This malware, like others of its kind, can infiltrate systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can di	Unspecified	2
The Conti Malware is associated with Proxyshell. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op	has used	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Blackbyte Threat Actor is associated with Proxyshell. BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. This	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2021-34523 is associated with Proxyshell.	Unspecified	6
The Log4Shell Vulnerability is associated with Proxyshell. Log4Shell, officially known as CVE-2021-44228, is a serious software vulnerability in the Apache Log4j logging library. It emerged as a significant threat to internet-facing systems when it was discovered that LockBit affiliates and other Advanced Persistent Threat (APT) actors could exploit this fl	Unspecified	5
The Follina Vulnerability is associated with Proxyshell. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,	Unspecified	3
The CVE-2021-26855 Vulnerability is associated with Proxyshell. CVE-2021-26855 is a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange servers, particularly versions 2013, 2016, and 2019. This flaw in software design or implementation was exploited by attackers to gain initial access to the email servers and drop an ASPX webshell on	Unspecified	3
The CVE-2022-30190 Vulnerability is associated with Proxyshell. CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it	Unspecified	3
The CVE-2022-41040 Vulnerability is associated with Proxyshell. CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism	Unspecified	3
The CVE-2018-13379 Vulnerability is associated with Proxyshell. CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20	Unspecified	2
The CVE-2021-26084 Vulnerability is associated with Proxyshell. CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta	Unspecified	2
The CVE-2022-26134 Vulnerability is associated with Proxyshell. CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th	Unspecified	2
The CVE-2022-41080 Vulnerability is associated with Proxyshell. CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute	Unspecified	2
The CVE-2021-44228 Vulnerability is associated with Proxyshell. CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted	Unspecified	2
The CVE-2022-41082 Vulnerability is associated with Proxyshell. CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack	Unspecified	2
The Zerologon Vulnerability is associated with Proxyshell. Zerologon, officially known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol. This flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, enabling them to escalate privileges to do	Unspecified	2

Source Document References

Information about the Proxyshell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	19 days ago	Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
InfoSecurity-magazine	a month ago	14 Million Patients Impacted by US Healthcare Data Breaches in 2024
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
Unit42	2 months ago	Chinese APT Abuses VSCode to Target Government in Asia
DARKReading	2 months ago	BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
Unit42	3 months ago	From RA Group to RA World: Evolution of a Ransomware Group
BankInfoSecurity	5 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	5 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
DARKReading	5 months ago	China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
Securityaffairs	5 months ago	A malware campaign exploits Microsoft Exchange Server flaws
CERT-EU	7 months ago	Microsoft is Under Attack by Russian Hackers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Unit42	8 months ago	Intruders in the Library: Exploring DLL Hijacking
Unit42	8 months ago	Diving Into Glupteba's UEFI Bootkit
Unit42	9 months ago	Threat Assessment: BianLian
CERT-EU	10 months ago	Ransomware victims targeted in follow-on extortion attacks
CERT-EU	10 months ago	Free Decryptor Released for Black Basta and Babuk's Tortilla Ransomware Victims \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	ProxyShell-targeting Babuk Tortilla ransomware decrypted after hacker’s arrest \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	Amsterdam arrest leads to Babuk Tortilla ransomware decryptor \| #ransomware \| #cybercrime \| National Cyber Security Consulting
InfoSecurity-magazine	10 months ago	New Decryption Key Available for Babuk Tortilla Ransomware Victims
CERT-EU	10 months ago	And that's a wrap for Babuk Tortilla ransomware as free decryptor released • The Register \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting