Thousands of Microsoft Exchange Servers Remain Vulnerable to Highly Exploited Flaws

Summary

More than 60,000 Microsoft Exchange servers, with over 17,000 located in the United States, remain unpatched against CVE-2022-41082, one of the two actively exploited zero-day vulnerabilities known as ProxyNotShell. ProxyNotShell affects Exchange server versions 2013, 2016, and 2019 and may allow threat actors to escalate privileges and gain arbitrary or remote code execution on compromised servers. Multiple threat actors continue to scan for vulnerable Exchange servers. The Play ransomware group was observed using a new exploit chain dubbed OWASSRF, which is capable of bypassing Microsoft’s mitigations for ProxyNotShell. Additionally, FIN7, a Russian-speaking and financially motivated threat actor, is known to use an auto-attack system called Checkmarks to scan for multiple Microsoft Exchange remote code execution and privilege elevation vulnerabilities, such as ProxyShell and ProxyLogon. A Shodan search revealed that over 40,000 servers in the United States remain vulnerable to the ProxyShell and ProxyLogon flaws.

Recommendations

The NJCCIC urges administrators to apply Microsoft Exchange patches immediately after appropriate testing, as threat actors have displayed capabilities to bypass ProxyNotShell mitigations. If patches cannot be applied, consider disabling OWA until the patch can be applied. Further technical details and indicators of compromise (IOCs) can be found in the CrowdStrike blog post and the Prodaft report, and additional details can be found in the BleepingComputer article.