According to the Shadowserver Foundation, a non-profit organization specializing in cybersecurity, approximately 60,000 IP addresses exposing Exchange server instances are still affected by the ProxyNotShell vulnerability referenced to CVE-2022-41082.
ProxyNotShell refers to a pair of Exchange Server-like vulnerabilities first disclosed in September that were chained together by malicious actors in a series of targeted attacks. One of the errors, CVE-2022-41040, is a server-side request forgery error, and the other, CVE-2022-41082, is a remote code execution error. The name ProxyNotShell is a reference to ProxyShell, a series of now-famous bugs uncovered in 2021.
Microsoft only patched ProxyNotShell on November Patch Tuesday. Until then, the company has urged its customers to mitigate vulnerabilities by applying URL rewrite directives to the autodiscover endpoint at the heart of the exploit chain.
However, CrowdStrike published a blog post last month revealing that a new exploit string called “OWASSRF” bypasses Microsoft’s defenses. OWASSRF combines the ProxyNotShell CVE-2022-41082 error with the CVE-2022-41080 Elevation of Privilege error. It has been used in several Play ransomware attacks over the past few weeks.
CrowdStrike is calling on organizations to apply the November Patch Tuesday Patch. OWASSRF is considered particularly dangerous as it affects organizations that have applied mitigations and believe the ProxyNotShell fix was unnecessary. Both CrowdStrike and Rapid7 observed an increase in attacks on Exchange servers suspected to be caused by OWASSRF.
Shadowserver, a non-profit cybersecurity organization dedicated to data collection and analysis, has scanned the IP addresses of Microsoft Exchange Server instances potentially vulnerable to CVE-2022-41082. On December 21, the day after CrowdStrike’s research was published, Shadowserver found 83,946 compromised IP addresses. As of January 2, that number has dropped to 60,865.
As of January 2nd, nearly 61,000 vulnerable Exchange servers were still directly exposed to the Internet.
Piotr Kijewski, CEO of Shadowserver, told TechTarget’s editorial board that the new exploit chain has not yet reached a level of awareness comparable to other current Exchange security problems.
“Personally, I think this issue is a little less known and therefore patching is slower,” he said. “Previous posts on this topic initially focused on mitigation measures that proved insufficient. The latest fixes from [Microsoft] November 8th didn’t get as much attention as they should have.”
Piotr Kijewski adds that due to the way Shadowserver’s Exchange scanner is configured, it’s unlikely that many of the vulnerable Exchange instances discovered are decoy, honeypots set up by researchers.
“The Exchange scanner consists of three scans and four processing scripts that extract various vulnerabilities and information,” he said. ” The first [scan] is a HEAD request and the other two are GET requests which we assume must follow redirects. So they would have to be real instances configured as honeypots for us to collect information about them, meaning by definition we’re likely to collect less.