Active Targets for ProxyLogon Vulnerability Shared on Cybercrime Forum

Summary

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising Active Targets for ProxyLogon Vulnerability databases allegedly belonging to Shodan, Censys, and Zoomeye.
Category Vulnerability Advisory
Affected Industries Multiple
Affected Region Global
Source* B2
TLP# GREEN
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol
 

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising databases allegedly belonging to Shodan, Censys, and Zoomeye.
  • The threat actor claims that the IP addresses of these companies' systems have unpatched MS Exchange Servers that are vulnerable to Proxy Shell.
  • The CloudSEK Threat Intelligence Research team is validating the authenticity of this post.
Threat actor’s post on the cybercrime forum
Threat actor’s post on the cybercrime forum
 

Analysis

Information from Source
The threat actor published a post on the cybercrime forum sharing a list of ~100,000 targets. The actor claims that 18% of Microsoft Exchange servers are vulnerable to ProxyShell, while 40% are vulnerable to CVE-2021-31206 to which Microsoft has assigned name as Microsoft Exchange Server Remote Code Execution Vulnerability. The threat actor claims to have collected a list of vulnerable systems from the following companies:
  • Shodan: a search engine that lets the user find specific types of systems connected to the internet using a variety of filters.
  • Censys: a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.
  • Zoomeye: cyberspace mapping and search engine.
As per the list shared by the threat actor ~100,000 targets are vulnerable to the ProxyLogon vulnerability. And the files shared by the actor are in the .csv format and contain multiple data fields such as Target Domain, Service Provider, Country, etc.  Top countries impacted are:
Country No. of Targets Country No. of Targets
United States 28,029 Hong Kong 869
Germany 17,762 Turkey 824
United Kingdom 5,784 Japan 822
France 4,246 Taiwan 800
Netherlands 3,964 Spain 763
Canada 3,687 Denmark 751
Italy 3,212 Sweden 702
Russian Federation 3,180 Brazil 640
Switzerland 2,818 Poland 506
Austria 2,686 Portugal 489
Australia 2678 Hungary 482
China 1401 New Zealand 463
Czech Republic 1164 South Africa 406
Belgium 1096 India 358
  The critical MS Exchange Vulnerabilities mentioned by the threat actor are:
ProxyLogon Chain Vulnerabilities ProxyShell Chain Vulnerabilities
  • CVE-2021–26855 
  • CVE-2021–26857 
  • CVE-2021–26858
  • CVE-2021–27065
  • CVE-2021-34473
  • CVE-2021-34523
  • CVE-2021-31207
  Source Rating
  • The actor has a high reputation on the forum. 
  • The information shared by the actor seems logical and consistent. 
  • Most of the databases the actor has shared in the past are legitimate leaks.
Hence,
  • The reliability of the actor can be rated Usually Reliable (B).
  • The credibility of the advertisement can be rated Possibly True (2).
Giving overall source credibility of B2.

Impact & Mitigation

Impact Mitigation
  • MS Exchange RCE (Remote Code Execution) gives an attacker the ability to execute commands on a vulnerable server. 
  • Initial foothold leads to a lateral movement that could potentially facilitate network takeover. 

Appendix

   

Table of Contents

Request an easy and customized demo for free