Category | Vulnerability Advisory |
Affected Industries | Multiple |
Affected Region | Global |
Source* | B2 |
TLP# | GREEN |
Reference | *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Executive Summary
- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising databases allegedly belonging to Shodan, Censys, and Zoomeye.
- The threat actor claims that the IP addresses of these companies' systems have unpatched MS Exchange Servers that are vulnerable to Proxy Shell.
- The CloudSEK Threat Intelligence Research team is validating the authenticity of this post.
Analysis
Information from Source
The threat actor published a post on the cybercrime forum sharing a list of ~100,000 targets. The actor claims that 18% of Microsoft Exchange servers are vulnerable to ProxyShell, while 40% are vulnerable to CVE-2021-31206 to which Microsoft has assigned name as Microsoft Exchange Server Remote Code Execution Vulnerability. The threat actor claims to have collected a list of vulnerable systems from the following companies:- Shodan: a search engine that lets the user find specific types of systems connected to the internet using a variety of filters.
- Censys: a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.
- Zoomeye: cyberspace mapping and search engine.
Country | No. of Targets | Country | No. of Targets | |
United States | 28,029 | Hong Kong | 869 | |
Germany | 17,762 | Turkey | 824 | |
United Kingdom | 5,784 | Japan | 822 | |
France | 4,246 | Taiwan | 800 | |
Netherlands | 3,964 | Spain | 763 | |
Canada | 3,687 | Denmark | 751 | |
Italy | 3,212 | Sweden | 702 | |
Russian Federation | 3,180 | Brazil | 640 | |
Switzerland | 2,818 | Poland | 506 | |
Austria | 2,686 | Portugal | 489 | |
Australia | 2678 | Hungary | 482 | |
China | 1401 | New Zealand | 463 | |
Czech Republic | 1164 | South Africa | 406 | |
Belgium | 1096 | India | 358 |
ProxyLogon Chain Vulnerabilities | ProxyShell Chain Vulnerabilities | |
|
|
- The actor has a high reputation on the forum.
- The information shared by the actor seems logical and consistent.
- Most of the databases the actor has shared in the past are legitimate leaks.
- The reliability of the actor can be rated Usually Reliable (B).
- The credibility of the advertisement can be rated Possibly True (2).
Impact & Mitigation
Impact | Mitigation |
|