proxynotshell – Exploit using two dangerous vulnerabilities affecting Microsoft Exchange Server 2013, 2016 and 2019:
CVE-2022-41040 (CVSS: 8.8)-Microsoft vulnerability Exchange Server associated with unauthorized obtaining rights. It allows you to remotely exploit the second vulnerability;
cve-2022-41082 (CVSS: 8.8)-Microsoft vulnerability Exchange Server, which allows an authorized cybercriminator to compromise the EXCHANGE basic server using PowerShell, which can lead to complete compromise.
Microsoft issued corrections for these two vulnerabilities as part of the November Tuesday Corrections of 2022. And just a week after the release of corrections, the researcher under the nickname janggggggggggggggggggggggggggggggggggg published the POC-EXECTOTE code, which attackers used to backdrop EXCHANGE servers.
Will Dormann, a senior vulnerability analyst in Analygence, tested the exploit and confirmed that he works against systems under Exchange Server 2016 and 2019, and added that the code needs to be corrected so that he worked against Exchange Server 2013.
Greynoise, which has been analyzing threats, trains the operation of Proxynotshell since the end of September and provides information about > Activity attacks using exploit and list IP addresses related to these attacks.
According to experts, the attackers used the CVE-2022-41040 and CVE-2022-41082 since September 2022. Vulnerabilities were necessary for installing the China Chopper webbing on hacked servers, data theft and lateral movement in the victim networks.
The Exchange Team team confirmed the fact of active use of Proxynotshell and recommended users as soon as possible to install the latest updates for Microsoft Exchange Server.