ProxyNotShell vulnerabilities are exploited by adversaries for remote code execution (RCE) in vulnerable Exchange servers in the wild. The victim statistics show that exploited Exchange servers were up-to-date and patched against ProxyShell vulnerabilities.
Researchers published proof-of-concept (PoC) details after Microsoft patched the vulnerabilities in October Patch Tuesday. Since the patch, the attackers still target vulnerable MS Exchange Server builds such as MS Exchange Server 2013, MS Exchange Server 2016, and MS Exchange Server 2019 with the exploit.
This is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability .
This Vulnerability allows Remote code execution when MS Exchange powershell is accessible to the attacker.
Attackers initially used CVE-2022-41040 to gain access to the PowerShell API endpoint (https://%exchange server domain%/powershell). An attacker with a known credential combination for a registered account can use this access to execute PowerShell commands in the Exchange environment.
Additionally, the attacker immediately sends a special request through WSMAN to enable the keep-alive option, which extends the shell’s lifetime.
After that, the attacker exploits a second vulnerability.By using PowerShell Remoting the attacker sends a request to create an address book, passing encoded and serialized data with a special payload as a parameter. In a published PoC, this encoded data contains a gadget called System.UnitySerializationHolder that spawns an object of the System.Windows.Markup.XamlReader class
After ProxyNotShell was successfully exploited in the wild, post-exploitation activities included hijack attempts, reconnaissance of users, groups, and domains, remote process injection, reverse shell deployment, and obtaining persistence.
According to researchers who reviewed relevant logs, there was no proof that threat actors used CVE-2022-41040 to gain initial access.