[German]Microsoft Exchange on-premises servers that are not up to date with the latest patches are vulnerable to attacks via the ProxyNotShell vulnerabilities. Then, a couple of days ago, there was information that the hacker group FIN7 had been setting up an automated attack platform to penetrate vulnerable Exchange servers. And now the information reaches me that possibly up to 70,000 Exchange servers worldwide are vulnerable to FIN7 ProxyNotShell attacks.
Exchange and ProxyNotShell
In late September 2022, a new 0-day exploit method (ProxyNotShell) was found for on-premises Exchange Server, for which Microsoft released several URL rewrite rules at once in October 2022 as interim protection (see Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333 and the the links at the end of the articles ). Microsoft then released a security update in November 2022 to close the vulnerabilities (see Exchange Server security updates (November 8, 2022)).
Microsoft Exchange servers that are not up to the new patch level are at risk of attackers abusing the ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082 as an entry vector to Microsoft Exchange Server. Before Christmas, I had reported about a suspected new attack vector used by the Play Ransomware group for successful attacks via the ProxyNotShell vulnerabilities (see Microsoft Exchange: New OWASSRF exploit method (ProxyNotShell) used by play ransomware).
FIN7 group uses an auto attack platform
FIN7 is a Russian advanced persistent threat (APT) group that has increasingly targeted the U.S. retail, restaurant and hospitality sectors since mid-2015. Part of FIN7 is run by the front company Combi Security and Bastion Secure, as AVAST discloses in this post. While there have been arrests of group members in 2018 – security researchers from Kaspersky have observed further attacks and also cooperation with the banking-focused Carbanak cybergang.
There is an article from Prodraft dated December 22, 2022 that reveals many of the group's internal workings. The colleagues from Bleeping Computer then covered these findings in this article. In a nut shell: An automated attack system christened "Checkmarks" was discovered by Prodraft, which includes a scanner for Microsoft Exchange vulnerabilities such as CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. The group uses the scanner to detect Exchange servers that are vulnerable with respect to above vulnerabilities.
The vulnerabilities allow remote code execution and elevation of privileges. Using various exploits, FIN7 then attempts to gain access to the target networks via the attacked Exchange servers. The Checkmarks attack platform also includes an SQL injection module that uses SQLMap to look for potentially exploitable vulnerabilities on a target's website.
New victims found in this way are automatically added to a central panel. There, FIN7 hackers can query additional details about the compromised endpoint. In further steps, other team members add "marketing" material to the entries, such as the victim's income, number of employees, details about the company, and so on. If a company is classified as a lucrative candidate, pentesters provide clues for a possible attack. Thus, the FIN7 group has a sophisticated organizational structure to select its attack targets.
According to Prodaft, FIN7's Checkmarks platform has already been used to infiltrate 8,147 companies (out of 1.8 million scanned targets). In the process, 16.7% of the infected systems run in the US. Meanwhile, there is a November 2022 report from Sentinel Labs that the FIN7 group is linked to the Black Basta ransomware gang. And security firm Mandiant has already linked FIN7 to Darkside operations in April 2022.
In addition, security researchers found ample evidence of communication with several ransomware gangs, including Darkside, REvil, and LockBit, in the retrieved Jabber logs. FIN7 and their "Checkmarks" attack system thus have the potential for major ransomware attack waves on Exchange servers vulnerable via vulnerabilities.
ProxyNotShell: 70,000 vulnerable Exchange servers
And then another tweet came to my attention from Shadowserver, who are scanning the Internet for Microsoft Exchange servers vulnerable to the ProxyNotShell vulnerability CVE-2022-4108 (the report can be found here).
The result of these scans is that nearly 70,000 Exchange servers worldwide were found to have arguably not received patches to close the ProxyNotShell vulnerability CVE-2022-4108. While there is some uncertainty because only certain version information was queried.
However, if the Exchange servers are not at the November 2022 patch level, it should be assumed as a precaution that they have already been attacked and compromised. This also applies if the URL rewrite rules suggested by Microsoft to defend against ProxyNotShell attacks are set. Because I had mentioned in the article Microsoft Exchange: New OWASSRF exploit method (ProxyNotShell) used by play ransomware that these URL rewrite rules can probably be bypassed by new exploit methods.
Current data of vulnerable Exchange servers can be viewed in the shadow server dashboard. In the above image, I have displayed the numbers as of December 27, 2022 for Europe. With over 13,000 entries, Germany is far ahead of other EU countries. For North America, over 17,000 entries are listed for the United States. Let's hope that the on-premises Exchange servers of the blog readership are patched and clean.
Exchange Servers are attacked via 0-day exploit (Sept. 29, 2022)
Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333
Update on Exchange Server 0-day Vulnerability ZDI-CAN-18333: Fixes, Scripts and EMS Solution
Exchange Server: Microsoft updates it's mitigation for the 0-day ProxyNotShell vulnerability (October 5, 2022)
Exchange Server: Microsofts improves solutions for 0-day mitigation again (October 8, 2022)
Exchange Server security updates (November 8, 2022)
Ransomware attack responsible for Rackspace Exchange instance outage in Dec. 2022
Microsoft Exchange: New OWASSRF exploit method (ProxyNotShell) used by play ransomware
Cookies helps to fund this blog: Cookie settings