ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082)

Home/Compromised, Data Breach, Evilproxy, Exploitation, hackers, Internet Security, IOC's, malicious cyber actors, Malicious extension, vulnerability/ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082)

ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082)

Reports says, the zero-day vulnerabilities CVE-2022-41040 and CVE-2022-41082, dubbed ProxyNotShell, are still being actively exploited.

 ProxyNotShell vulnerabilities are exploited by adversaries for remote code execution (RCE) in vulnerable Exchange servers in the wild. The victim statistics show that exploited Exchange servers were up-to-date and patched against ProxyShell vulnerabilities. 

Researchers published proof-of-concept (PoC) details after Microsoft patched the vulnerabilities in October Patch Tuesday. Since the patch, the attackers still target vulnerable MS Exchange Server builds such as MS Exchange Server 2013, MS Exchange Server 2016, and MS Exchange Server 2019 with the exploit.

CVE-2022-41040

This is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability .

CVE-2022-41082

This Vulnerability allows Remote code execution when MS Exchange powershell is accessible to the attacker.

Exploitation

Attackers initially used CVE-2022-41040 to gain access to the PowerShell API endpoint (https://%exchange server domain%/powershell). An attacker with a known credential combination for a registered account can use this access to execute PowerShell commands in the Exchange environment. 

Additionally, the attacker immediately sends a special request through WSMAN to enable the keep-alive option, which extends the shell’s lifetime. 

After that, the attacker exploits a second vulnerability.By using PowerShell Remoting the attacker sends a request to create an address book, passing encoded and serialized data with a special payload as a parameter. In a published PoC, this encoded data contains a gadget called System.UnitySerializationHolder that spawns an object of the System.Windows.Markup.XamlReader class

After ProxyNotShell was successfully exploited in the wild, post-exploitation activities included hijack attempts, reconnaissance of users, groups, and domains, remote process injection, reverse shell deployment, and obtaining persistence. 

According to researchers who reviewed relevant logs, there was no proof that threat actors used CVE-2022-41040 to gain initial access. 

IOCs

  • F77E55FD56FDAD21766CAA9C896734E9
  • F9322EAD69300501356B13D751165DAA
  • A2FAE32F116870E5A94B5FAB50A1CB71
  • 47A0814408210E6FCA502B3799B3952B
  • 379F87DAA6A23400ADF19C1CDD6B0DC9
  • 193.149.185.52:443

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!