Show threadKevin BeaumontMar 25, 2024

Later today, the UK government plan to link the Microsoft Exchange #ProxyNotShell incident at the Electoral Commission to China. https://doublepulsar.com/uk-electoral-commission-had-an-unpatched-microsoft-exchange-server-vulnerability-5436f3f5ec2c

Edit: I should say, they might have got caught up in ProxyShell too.

UK Electoral Commission had an unpatched Microsoft Exchange Server vulnerability

You have have read about the hack of the Electoral Commission recently. In this piece we take a look at what happened, show they were running Microsoft Exchange Server with Outlook Web App (OWA)…

DoublePulsar
Kevin BeaumontAug 9, 2023

#ProxyNotShell in Exchange Server fingered in UK Electoral Commission hack.

TechCrunch found Electoral Commission were using on prem Exchange.

I had a look via @shodan history feature - their Exchange Server, with OWA enabled, was online until later in 2022 (when the incident began) - and didn't have ProxyNotShell patches installed, as Microsoft hadn't released them.

The mitigations MS released were bypassable, as seen in the Rackspace Hosted Exchange hack.

https://techcrunch.com/2023/08/09/parsing-uk-electoral-commission-cyberattack/

TechCrunch is part of the Yahoo family of brands

F5 LabsFeb 1, 2023
Aaron Brailsford recaps his big 2022 look-back on This Month In Security year in review show with Aubrey King and David Warburton. #ProxyNotShell has returned to make life difficult for Exchange Server administrators over the holidays. The exploit returns for the holidays with a bit of a twist. Take a look for more details on this persistent threat.
https://www.linkedin.com/feed/update/urn:li:activity:7026535708798435328
F5 Labs on LinkedIn: ProxyNotShell Returns For The Holidays To Target Exchange Servers

Aaron Brailsford recaps his big 2022 look-back on This Month In Security year in review show with Aubrey King and David Warburton. #ProxyNotShell has returned…

Marcel SIneM(S)USJan 29, 2023
#ProxyShell & Co.: #Microsoft gibt Tipps, um #Exchange Server abzusichern | heise online https://www.heise.de/news/ProxyShell-Co-Microsoft-gibt-Tipps-um-Exchange-Server-abzusichern-7472639.html #MicrosoftExchange #ProxyNotShell
ProxyShell & Co.: Microsoft gibt Tipps, um Exchange Server abzusichern

Vor dem Hintergrund mehrerer kritischer Sicherheitslücken und Attacken auf Exchange Server zeigt Microsoft, welche Updates Admins dringend installieren müssen.

heise online
Stef RandJan 19, 2023

Our monthly Intelligence Insight for January is out!

https://redcanary.com/blog/intelligence-insights-january-2023/

We saw a ton of testing at the end of the year which we think boosted Mimikatz & BloodHound pretty high on our trending threats list.

We observed increased #ProxyNotShell exploitation of Exchange servers at the end of the year & have shared some thoughts on that as well!

Raj SamaniJan 9, 2023
Play #ransomware attack against Rackspace "chains CVE-2022-41080 + CVE-2022-41082 for RCE through OWA. This allows miscreants to bypass URL rewrite mitigations for Autodiscover endpoint provided by Microsoft in response to #ProxyNotShell" https://www.theregister.com/2023/01/05/rackspace_ransomware_gang/ #malware #infosec
Rackspace blames ransomware woes on zero-day attack

Play gang blamed, ProxyNotShell cleared and hosted Exchange doomed

The Register
Marcel SIneM(S)USJan 8, 2023
Beim #Cloud-Anbieter #Rackspace hat die Play-#Ransomware zugeschlagen | heise online https://www.heise.de/news/Beim-Cloud-Anbieter-Rackspace-hat-die-Play-Ransomware-zugeschlagen-7450344.html #ProxyNotShell #Malware #MicrosoftExchange
Beim Cloud-Anbieter Rackspace hat die Play-Ransomware zugeschlagen

Rackspace hat seine forensischen Untersuchungen zur Cyberattacke abgeschlossen. Es gab Zugriffe auf Daten von wenigen Kunden.

heise online
Show threadDavid KrauseJan 7, 2023
I reported some #OWASSRF #ProxyNotShell via #HackerOne because I wanted to alert those companies that they hadn’t patched their Exchange Server, not because I necessarily wanted a bounty. But these programs require that you obtain RCE proof otherwise they are closed out. I’m not going to do that because Exchange Server is typically not in scope which would be illegal to do. I also don’t want to step on any webshells that may have already been deployed by other attackers.
didib_photo 📷Jan 7, 2023

Die seit September bekannte Schwachstelle #ProxyNotShell von #Microsoft #ExchangeServer ist auf hunderten Servern in der #Schweiz nicht behoben worden. #Patch steht längst zur Verfügung.

Gleichzeitig sei #ITSecurity die oberste Priorität der #CIO.🤔

https://www.netzwoche.ch/news/2023-01-04/hunderte-schweizer-exchange-server-noch-ohne-proxynotshell-patch

http://www.netzwoche.ch/news/2022-12-07/die-plaene-der-schweizer-cios-fuer-2023 (siehe Grafik im Artikel)

#cybersecurity #techstuff

Hunderte Schweizer Exchange-Server noch ohne ProxyNotShell-Patch

Mehrere hundert Schweizer Exchange-Server warten noch immer auf einen Patch für die "ProxyNotShell"-Schwachstelle. Auf diesen Servern ist theoretisch "Remote Code Execution" möglich, also das Ausführen von Schadcode aus der Ferne.

Unveiled SecurityJan 6, 2023

On Dec 22, 2022, Unit42 released a threat brief on the new OWASSRF exploit method for Microsoft Exchange Server published by CrowdStrike

Threat Brief: OWASSRF Vulnerability Exploitation

https://unit42.paloaltonetworks.com/threat-brief-owassrf/

#OWASSRF #ProxyNotShell #Cybersecurity #CyberThreatIntelligence

Threat Brief: OWASSRF Vulnerability Exploitation

We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts we've observed use the same PowerShell backdoor, which we track as SilverArrow. Read the details and learn how to mitigate.

Unit 42