Media Coverage

Shadowserver in the news

Many Exchange servers still vulnerable to ProxyNotShell flaw

TechTarget, January 3, 2023

A new exploit chain using one of the ProxyNotShell vulnerabilities has bypassed Microsoft’s URL Rewrite mitigations from September and put Exchange servers at risk. Approximately 60,000 IP addresses with internet-facing Exchange Server instances are still vulnerable to ProxyNotShell flaw CVE-2022-41082, according to cybersecurity nonprofit Shadowserver Foundation. CrowdStrike published a blog post last month revealing that a new exploit chain, referred to as “OWASSRF,” bypassed Microsoft’s URL Rewrite mitigations. OWASSRF combines ProxyNotShell bug CVE-2022-41082 with elevation of privilege flaw CVE-2022-41080, and it has been used in several Play ransomware attacks in recent weeks. Shadowserver, a cybersecurity nonprofit dedicated to data collection and analysis, has been scanning for IP addresses with instances of Microsoft Exchange Server that are likely vulnerable to CVE-2022-41082. On Dec. 21, the day after CrowdStrike’s research went live, Shadowserver found 83,946 vulnerable IP addresses. As of Jan. 2, that number dropped to 60,865. Shadowserver CEO Piotr Kijewski told TechTarget Editorial that compared with other recent Exchange Server security issues, the new exploit chain has not reached similar awareness levels.

“My personal take is that there is a bit less of awareness of this current issue, and hence the patching is slower,” he said. “Previous messaging on this issue focused a lot on mitigations initially, which as it turns out now were insufficient. The latest patches from [Microsoft] on Nov. 8 were not hyped as much as they should have been.”

Kijewski added that due to the way Shadowserver’s Exchange scanner is set up, it is unlikely that many of the tracked vulnerable Exchange instances are honeypots set up by researchers.

Over 60,000 Exchange servers vulnerable to ProxyNotShell attacks

Bleeping Computer, January 3, 2023

More than 60,000 Microsoft Exchange servers exposed online are yet to be patched against the CVE-2022-41082 remote code execution (RCE) vulnerability, one of the two security flaws targeted by ProxyNotShell exploits. According to a recent tweet from security researchers at the Shadowserver Foundation, a nonprofit organization dedicated to improving internet security, almost 70,000 Microsoft Exchange servers were found to be vulnerable to ProxyNotShell attacks according to version information (the servers’ x_owa_version header). However, new data published on Monday shows that the number of vulnerable Exchange servers has decreased from 83,946 instances in mid-December to 60,865 detected on January 2nd. These two security bugs, tracked as CVE-2022-41082 and CVE-2022-41040 and collectively known as ProxyNotShell, affect Exchange Server 2013, 2016, and 2019.

In the Czech Republic, there are still 844 servers with Microsoft Exchange vulnerable using ProxyNotShell

Lupa.cz, January 3, 2023

There are still a number of vulnerable servers running Microsoft Exchange in the Czech Republic. According to the Shadowserver service, there are 844 servers that can be exploited through the ProxyNotShell vulnerability. The figure is valid as of the first of January this year, CESNET pointed out. Shadowserver further states that 66,000 IP addresses with the same vulnerability were found. Sixteen thousand of them are in the United States, twelve thousand in Germany.

Is an Exchange ProxyNotShell disaster looming at the corner?

Born's Tech and Windows World, December 28, 2022

00e2981d19c84c43839ac3ef2e5978d7.gifIn late September 2022, a new 0-day exploit method (ProxyNotShell) was found for on-premises Exchange Server, for which Microsoft released several URL rewrite rules at once in October 2022 as interim protection. Microsoft then released a security update in November 2022 to close the vulnerabilities. Microsoft Exchange servers that are not up to the new patch level are at risk of attackers abusing the ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082 as an entry vector to Microsoft Exchange Server. Before Christmas, I had reported about a suspected new attack vector used by the Play Ransomware group for successful attacks via the ProxyNotShell vulnerabilities. FIN7 is a Russian advanced persistent threat (APT) group that has increasingly targeted the U.S. retail, restaurant and hospitality sectors since mid-2015. And then another tweet came to my attention from Shadowserver, who are scanning the Internet for Microsoft Exchange servers vulnerable to the ProxyNotShell vulnerability CVE-2022-4108 (the report can be found here). The result of these scans is that nearly 70,000 Exchange servers worldwide were found to have arguably not received patches to close the ProxyNotShell vulnerability CVE-2022-4108. While there is some uncertainty because only certain version information was queried. Current data of vulnerable Exchange servers can be viewed in the Shadowserver dashboard. 

GLPI Exploitation Timeline

VulnCheck, December 21, 2022

As part of our Exploit Intelligence service, VulnCheck tracks vulnerabilities exploited in the wild. Prioritizing known exploited vulnerabilities for remediation is a smart strategy to minimize vulnerability risk. However, that strategy breaks down when some exploited vulnerabilities are overlooked. For CVE published in 2022, VulnCheck is tracking 37 more exploited vulnerabilities than the CISA KEV Catalog. One vulnerability that we’re tracking and KEV isn’t is CVE-2022-35914, a trivial unauthenticated and remote command execution vulnerability affecting GLPI. GLPI is open source software that can serve as a helpdesk, asset manager, administrator, and more. Exposing critical IT management software to the internet is a mistake the security industry sees often. Censys can find approximately 15,000 internet-facing GLPI instances. Shodan doesn’t see half as many instances as Censys, but it is able to create an interesting historical graph of internet-facing GLPI services. Shadowserver tweeted about active exploitation in the middle of October. A couple of months have passed since GLPI and Shadowserver shared their observations regarding active exploitation of CVE-2022-35914. We think it’s useful to know if the vulnerability is still under active exploitation. There are two sources that can help us quickly answer that question. First, Shadowserver maintains a useful honeypot dashboard that lists all the vulnerabilities they’ve seen exploited recently. The other source we can turn to is GreyNoise. Prioritizing the remediation of vulnerabilities exploited in the wild is a solid vulnerability management strategy. But relying on a single source of information with an incomplete dataset could result in disaster.

2022 Adversary Infrastructure Report

Recorded Future, December 15, 2022

Recorded Future’s Insikt Group® conducted a study of malicious command-and-control (C2) infrastructure identified using proactive scanning and collection methods throughout 2022. All data was sourced from the Recorded Future® Platform and is current as of September 1, 2022. Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). Since 2017, we have created detections for 108 families including RATs, advanced persistent threat (APT) malware, botnet families, and other commodity tools. We observed over 17,000 unique command-and-control (C2) servers during 2022, which is up 30% from last year. Much like 2021, our collection in 2022 was dominated by Cobalt Strike team servers, botnet families including IcedID and QakBot, and popular RATs such as PlugX. In June of 2022, ShadowServer detailed their methodology for scanning the IPv6 internet space. We predict that more organizations, including Recorded Future, will increase IPv6 scanning with resulting findings of more IPv6 C2 detections. While not widely reported on, malware that communicates over a IPv6 connection does exist, such as VirtualPie as reported on by Mandiant.

Kubernetes Architecture Explained: A Comprehensive Guide For Beginners

Devopscube, December 8, 2022

Understanding Kubernetes architecture helps you with day-to-day Kubernetes implementation and operations. When implementing a production-level cluster setup, having the right knowledge of Kubernetes components will help you run and troubleshoot applications. To reduce the cluster attack surface, it is crucial to secure the API server. The Shadowserver Foundation has conducted an experiment that discovered 380 000 publicly accessible Kubernetes API servers.

Cyble observed Initial Access Brokers (IABs) offering access to enterprise networks compromised via a critical flaw in Fortinet products.

Security Affairs, November 29, 2022

Researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical flaw, tracked as CVE-2022-40684, in Fortinet products. In October, the Shadowserver Foundation reported that more than 17K Fortinet devices exposed online were vulnerable to attacks exploiting the CVE-2022-40684 flaw, most of them in Germany and in the US. Now Cyble researchers reported more than 100,000 FortiGate firewalls accessible from the internet that may be targeted by threat actors if not patched yet.

Critical Fortinet Vulnerability CVE-2022-40684: IAB to Sell Access Appears?

IoT OT Security News, November 29, 2022

SecurityAffairs — Researchers at Cyble are aware of an Initial Access Broker (IAB ) are likely to be selling access to corporate networks. In early October, Fortinet addressed the authentication bypass vulnerability CVE-2022-40684 affecting the FortiGate Firewall/FortiProxy Web Proxy. An attacker who successfully exploited this vulnerability could log into a vulnerable device, Fortinet said. As of this October, the Shadowserver Foundation has announced that over 17K Fortinet devices exposed online are vulnerable to attacks exploiting the vulnerability CVE-2022-40684, the majority of which are located in Germany and the United States. Now , Cyble researchers report that more than 100,000 Internet-accessible FortiGate firewalls, if still unpatched, could be targeted by threat actors.

Azure Firewall IDPS signing rule categories

Microsoft, November 29, 2022

Azure Firewall IDPS includes over fifty categories that can be assigned to individual signatures. The following table is a list of definitions for each category. Botcc (command and control bot) This category is for signatures that are automatically generated from various sources of known and confirmed active botnets and other command and control (C2) hosts. This category is updated daily. The primary data source for the category is Shadowserver.org.