Active Targets for ProxyLogon Vulnerability Shared on Cybercrime Forum

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising Active Targets for ProxyLogon Vulnerability databases allegedly belonging to Shodan, Censys, and Zoomeye.
Updated on
April 19, 2023
Published on
August 21, 2021
Subscribe to the latest industry news, threats and resources.
Category Vulnerability Advisory
Affected Industries Multiple
Affected Region Global
Source* B2
Reference * #

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising databases allegedly belonging to Shodan, Censys, and Zoomeye.
  • The threat actor claims that the IP addresses of these companies' systems have unpatched MS Exchange Servers that are vulnerable to Proxy Shell.
  • The CloudSEK Threat Intelligence Research team is validating the authenticity of this post.
[caption id="attachment_17731" align="aligncenter" width="1449"]Threat actor’s post on the cybercrime forum Threat actor’s post on the cybercrime forum[/caption]  


Information from Source
The threat actor published a post on the cybercrime forum sharing a list of ~100,000 targets. The actor claims that 18% of Microsoft Exchange servers are vulnerable to ProxyShell, while 40% are vulnerable to CVE-2021-31206 to which Microsoft has assigned name as Microsoft Exchange Server Remote Code Execution Vulnerability. The threat actor claims to have collected a list of vulnerable systems from the following companies:
  • Shodan: a search engine that lets the user find specific types of systems connected to the internet using a variety of filters.
  • Censys: a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.
  • Zoomeye: cyberspace mapping and search engine.
As per the list shared by the threat actor ~100,000 targets are vulnerable to the ProxyLogon vulnerability. And the files shared by the actor are in the .csv format and contain multiple data fields such as Target Domain, Service Provider, Country, etc.  Top countries impacted are:
Country No. of Targets Country No. of Targets
United States 28,029 Hong Kong 869
Germany 17,762 Turkey 824
United Kingdom 5,784 Japan 822
France 4,246 Taiwan 800
Netherlands 3,964 Spain 763
Canada 3,687 Denmark 751
Italy 3,212 Sweden 702
Russian Federation 3,180 Brazil 640
Switzerland 2,818 Poland 506
Austria 2,686 Portugal 489
Australia 2678 Hungary 482
China 1401 New Zealand 463
Czech Republic 1164 South Africa 406
Belgium 1096 India 358
  The critical MS Exchange Vulnerabilities mentioned by the threat actor are:
ProxyLogon Chain Vulnerabilities ProxyShell Chain Vulnerabilities
  • CVE-2021–26855 
  • CVE-2021–26857 
  • CVE-2021–26858
  • CVE-2021–27065
  • CVE-2021-34473
  • CVE-2021-34523
  • CVE-2021-31207
  Source Rating
  • The actor has a high reputation on the forum. 
  • The information shared by the actor seems logical and consistent. 
  • Most of the databases the actor has shared in the past are legitimate leaks.
  • The reliability of the actor can be rated Usually Reliable (B).
  • The credibility of the advertisement can be rated Possibly True (2).
Giving overall source credibility of B2.

Impact & Mitigation

Impact Mitigation
  • MS Exchange RCE (Remote Code Execution) gives an attacker the ability to execute commands on a vulnerable server. 
  • Initial foothold leads to a lateral movement that could potentially facilitate network takeover. 



Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations