| Category |
Vulnerability Advisory |
| Affected Industries |
Multiple |
| Affected Region |
Global |
| Source* |
B2 |
| TLP# |
GREEN |
| Reference |
*https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
#https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Executive Summary
- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising databases allegedly belonging to Shodan, Censys, and Zoomeye.
- The threat actor claims that the IP addresses of these companies' systems have unpatched MS Exchange Servers that are vulnerable to Proxy Shell.
- The CloudSEK Threat Intelligence Research team is validating the authenticity of this post.
[caption id="attachment_17731" align="aligncenter" width="1449"]
Threat actor’s post on the cybercrime forum[/caption]
Analysis
Information from Source
The threat actor published a post on the cybercrime forum sharing a list of ~100,000 targets. The actor claims that 18% of Microsoft Exchange servers are vulnerable to ProxyShell, while 40% are vulnerable to CVE-2021-31206 to which Microsoft has assigned name as Microsoft Exchange Server Remote Code Execution Vulnerability. The threat actor claims to have collected a list of vulnerable systems from the following companies:
- Shodan: a search engine that lets the user find specific types of systems connected to the internet using a variety of filters.
- Censys: a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.
- Zoomeye: cyberspace mapping and search engine.
As per the list shared by the threat actor ~100,000 targets are vulnerable to the ProxyLogon vulnerability. And the files shared by the actor are in the .csv format and contain multiple data fields such as Target Domain, Service Provider, Country, etc.
Top countries impacted are:
| Country |
No. of Targets |
|
Country |
No. of Targets |
| United States |
28,029 |
|
Hong Kong |
869 |
| Germany |
17,762 |
|
Turkey |
824 |
| United Kingdom |
5,784 |
|
Japan |
822 |
| France |
4,246 |
|
Taiwan |
800 |
| Netherlands |
3,964 |
|
Spain |
763 |
| Canada |
3,687 |
|
Denmark |
751 |
| Italy |
3,212 |
|
Sweden |
702 |
| Russian Federation |
3,180 |
|
Brazil |
640 |
| Switzerland |
2,818 |
|
Poland |
506 |
| Austria |
2,686 |
|
Portugal |
489 |
| Australia |
2678 |
|
Hungary |
482 |
| China |
1401 |
|
New Zealand |
463 |
| Czech Republic |
1164 |
|
South Africa |
406 |
| Belgium |
1096 |
|
India |
358 |
The critical MS Exchange Vulnerabilities mentioned by the threat actor are:
| ProxyLogon Chain Vulnerabilities |
|
ProxyShell Chain Vulnerabilities |
- CVE-2021–26855
- CVE-2021–26857
- CVE-2021–26858
- CVE-2021–27065
|
|
- CVE-2021-34473
- CVE-2021-34523
- CVE-2021-31207
|
Source Rating
- The actor has a high reputation on the forum.
- The information shared by the actor seems logical and consistent.
- Most of the databases the actor has shared in the past are legitimate leaks.
Hence,
- The reliability of the actor can be rated Usually Reliable (B).
- The credibility of the advertisement can be rated Possibly True (2).
Giving overall source credibility of
B2.
Impact & Mitigation
| Impact |
Mitigation |
- MS Exchange RCE (Remote Code Execution) gives an attacker the ability to execute commands on a vulnerable server.
- Initial foothold leads to a lateral movement that could potentially facilitate network takeover.
|
- Install the following ProxyLogon patches:
- Install the following ProxyShell Patches:
|
Appendix
