EXECUTIVE SUMMARY
ProxyLogon and ProxyShell vulnerabilities wreaked havoc on Microsoft Exchange servers, a server has been identified likely exploiting these vulnerabilities to gain initial access and steal sensitive communications. The affected entities are spread across multiple regions, specifically targeting government sectors. Numerous folders on the server contained email communications between officials, including defense, interior, and protocol ministries, such as those associated with the Afghanistan Arg.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
ProxyLogon and ProxyShell vulnerabilities wreaked havoc on Microsoft Exchange servers, a server has been identified likely exploiting these vulnerabilities to gain initial access and steal sensitive communications. The affected entities are spread across multiple regions, specifically targeting government sectors. Numerous folders on the server contained email communications between officials, including defense, interior, and protocol ministries, such as those associated with the Afghanistan Arg.[emaillocker id="1283"]
ProxyLogon, involves exploiting a server-side request forgery (SSRF) flaw in the Exchange Web Services (EWS) API, enabling attackers to perform operations on the victim's mailbox without authentication. ProxyShell, comprising three vulnerabilities CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 allows unauthenticated attackers to execute commands on the server. It is found an open directory on a server hosted on DigitalOcean, exposing 3,923 files. The directory contained folders named after targeted countries, including hundreds of email communications. Python scripts exploiting these vulnerabilities were found on the server, demonstrating the use of publicly available code to search, access, and download emails from compromised mail servers.
The discovery of this server highlights the persistent threat posed by unpatched vulnerabilities like ProxyLogon and ProxyShell. The targeted attacks on government entities in Afghanistan, Georgia, Argentina, and Laos underscore the importance of diligent patch management and continuous monitoring for potential breaches. Malicious actors continue to exploit older vulnerabilities to achieve their objectives. Enhanced threat-hunting capabilities and proactive security measures are essential to safeguard sensitive information from such exploits.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1190 | Exploit Public-Facing Application |
| T1566 | Phishing | |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1505 | Server Software Component |
| Discovery | T1083 | File and Directory Discovery |
| Collection | T1114 | Email Collection |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1565 | Data Manipulation |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-proxylogon-proxyshell-microsoft-exchange-attacks/
[/emaillocker]