#ProxyNotShell in Exchange Server fingered in UK Electoral Commission hack.

TechCrunch found Electoral Commission were using on prem Exchange.

I had a look via @shodan history feature - their Exchange Server, with OWA enabled, was online until later in 2022 (when the incident began) - and didn't have ProxyNotShell patches installed, as Microsoft hadn't released them.

The mitigations MS released were bypassable, as seen in the Rackspace Hosted Exchange hack.

https://techcrunch.com/2023/08/09/parsing-uk-electoral-commission-cyberattack/

Our monthly Intelligence Insight for January is out!

https://redcanary.com/blog/intelligence-insights-january-2023/

We saw a ton of testing at the end of the year which we think boosted Mimikatz & BloodHound pretty high on our trending threats list.

We observed increased #ProxyNotShell exploitation of Exchange servers at the end of the year & have shared some thoughts on that as well!

Die seit September bekannte Schwachstelle #ProxyNotShell von #Microsoft #ExchangeServer ist auf hunderten Servern in der #Schweiz nicht behoben worden. #Patch steht längst zur Verfügung.

Gleichzeitig sei #ITSecurity die oberste Priorität der #CIO.🤔

https://www.netzwoche.ch/news/2023-01-04/hunderte-schweizer-exchange-server-noch-ohne-proxynotshell-patch

http://www.netzwoche.ch/news/2022-12-07/die-plaene-der-schweizer-cios-fuer-2023 (siehe Grafik im Artikel)

#cybersecurity #techstuff

On Dec 22, 2022, Unit42 released a threat brief on the new OWASSRF exploit method for Microsoft Exchange Server published by CrowdStrike

Threat Brief: OWASSRF Vulnerability Exploitation

https://unit42.paloaltonetworks.com/threat-brief-owassrf/

#OWASSRF #ProxyNotShell #Cybersecurity #CyberThreatIntelligence

#PlayRansomware's new exploit method to bypass mitigations to #ProxyNotShell is very interesting. I am going to need to build some new IOC for this.
#cybersecurity

https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

Interesting one on my honeypots - somebody popped a box with #ProxyNotShell and added an Exchange transport rule to redirect any emails mentioning cryptocurrency to an external mailbox.

No webshells. Full chain appeared automated based on time stamps.

Flinke beschuldiging van #Rackspace: de mitigations die #Microsoft had aanbevolen voor de Exchange-kwetsbaarheid #ProxyNotShell zijn te omzeilen, wat de reden zou zijn dat Rackspace in december getroffen is door een grote cyberaanval. Het bedrijf installeerde de patch namelijk niet, maar vertrouwde op die mitigations.

https://www.agconnect.nl/artikel/rackspace-beschuldigt-microsoft-indirect-van-grote-ransomware-aanval

Hostingreus Rackspace had de grote #Exchange-kwetsbaarheid #ProxyNotShell niet gepatcht, maar vertrouwde op beperkende maatregelen van #Microsoft. Die mitigations zijn echter te omzeilen, wat de softwareleverancier volgens Rackspace níet heeft aangegeven.
https://www.agconnect.nl/artikel/rackspace-beschuldigt-microsoft-indirect-van-grote-ransomware-aanval

The Assault on Microsoft Exchange Server

Microsoft Exchange Server is an attractive target for threat actors trying to gain access to corporate networks to perform discovery operations and to deploy malware, including ransomware.

https://unveiledsecurity.com/2023/01/02/the-assault-on-microsoft-exchange-server/

#MicrosoftExchange #ProxyShell #ProxyLogon #Vulnerabilities #ProxyNotShell #OWASSRF

I'm sure someone has already posted about this and I just missed it, but Rackspace Blames Zero-Day Exploit for Ransomware Hit Success.
They are also sort of blaming Microsoft a little bit.

Hosting Giant Says Microsoft's Patch Notes Didn't Detail Remote-Code Execution Risk

Remember how it broke that malicious actors had found ways to skirt around the ProxyNotShell URL filtering mitigatsion provided by Microsoft? Do you also remember how anybody in the #InfoSec community knew it was only a matter of time before this happened because there are always ways to get around filters like this?
Ah, anyway, Rackspace was relying on the URL filtering and hadn't actually patched.

Rackspace says it didn't immediately apply the Exchange patch released last November by Microsoft because of multiple user reports that the patch was causing errors, including leaving Microsoft Outlook Web Access - OWA - inaccessible. Pending a fully working patch, the company says it instead used mitigations recommended by Microsoft.

#ProxyNotShell #RackSpace #M365 #O365 #Exchange #MSExchange

Okay, we have a #Rackspace update from them which confirms my reporting the servers didn’t have the #ProxyNotShell patch installed - instead they were relying on the Microsoft mitigation - which was bypassable, but Microsoft hadn’t told anybody this. The attackers used the bypass to ransomware their Hosted Exchange environment.

https://www.bankinfosecurity.com/rackspace-blames-zero-day-exploit-for-ransomware-hit-success-a-20849

Jetzt patchen! Noch 60.000 Exchange-Server für ProxyNotShell-Attacken anfällig

Sicherheitsforscher warnen vor verwundbaren Exchange-Servern. 30.000 davon sind in Europa – der Großteil in Deutschland. Sicherheitspatches sind verfügbar.

https://www.heise.de/news/Jetzt-patchen-Noch-60-000-Exchange-Server-fuer-ProxyNotShell-Attacken-anfaellig-7448029.html?wt_mc=sm.red.ho.mastodon.mastodon.-.-

#MicrosoftExchange #Patches #ProxyNotShell #Security #Sicherheitslücken #Updates #News

Nice to see our daily reports having a positive effect. Current numbers of MS Exchange servers vulnerable to #ProxyNotShell mitigations bypass down to around 57K instances (Jan 3rd scan).

https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=scan%2Bscan6&tag=exchange&group_by=geo&style=stacked

Our daily Vulnerable Exchanger Server report:
https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-exchange-server-report/

For more background:

https://www.bleepingcomputer.com/news/security/over-60-000-exchange-servers-vulnerable-to-proxynotshell-attacks/

https://www.techtarget.com/searchsecurity/news/252528809/Many-Exchange-servers-still-vulnerable-to-ProxyNotShell-flaw

ICYMI, Unit42 published a Threat Brief with analysis of #OWASSRF, an exploit method for Microsoft Exchange Server related to #ProxyNotShell on December 22.

https://unit42.paloaltonetworks.com/threat-brief-owassrf/

Still around 66K IPs found with likely CVE-2022-41082 vulnerable MS Exchange instances. Most in the United States (16K IPs, 37% of discoverable instances in US) and Germany (12K IPs, 29% of discoverable instances in DE). Patch now! #ProxyNotShell

Track latest scan results here: https://t.co/tsRTE5fLnL

Background:
https://infosec.exchange/@shadowserver/109581370516297730

The latest A Daily Dose of PowerShell! https://paper.li/doctordns/1580827252?edition_id=a2cecef0-89e2-11ed-98b5-fa163eed9ef2 Thanks to @ArgusTaft@twitter.com #proxynotshell #powershell

Updating: Read the commentary thread by @GossiTheDog that begins at
https://infosec.exchange/@GossiTheDog@cyberplace.social/109603106559818167'

#CottSystems #ransomware #patch #infosec #cybersecurity #DataBreach #DataProtection #ProxyNotShell #OWA #SonicWall

One of my Exchange honeypots got popped with the OWASSRF #ProxyNotShell exploit. The user was a deliberate Redline infected user from a few months ago. #threatintel

RT @Shadowserver@twitter.com

We are reporting out Microsoft Exchange servers still likely vulnerable to CVE-2022-41082 #ProxyNotShell. Nearly 70K IPs found without MS patches applied (based on version info). Previously recommended mitigation techniques can be bypassed by attackers

https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-exchange-server-report/

Frohe Weihnachten und guten Rutsch - zum Jahreswechsel noch die wichtigsten Infos. Warnung und Update zu #Exchange #ProxyNotShell Schwachstellen, #LastPass Tresor Daten gestohlen, #Okta's Quellcode geklaut, Datenpanne bei #SocialBlade und weitere #News.

https://www.lastbreach.de/blog/die-infosec-news-der-woche-221227