Two zero-day Exchange vulnerabilities, CVE-2022-41040 and CVE-2022-41082 (ProxyNotShell), are being actively exploited in the wild, with over 1.6 million exploit attempts observed across 4 million protected websites. The activity shows GET-based probing against autodiscover endpoints, PowerShell usage in payloads, a mix of user-agents, and a large share of traffic coming from DigitalOcean IP ranges; exploitation requires valid credentials to proceed.
Keypoints
- ProxyNotShell vulnerabilities CVE-2022-41040/41082 are actively being exploited in the wild, with 1,658,281 exploit attempts tracked across 4 million protected sites.
- A significant portion of attack traffic originates from DigitalOcean IPs, with 192.241.192.0/19 forming nearly one-third of logged requests.
- The top 20 IP addresses responsible for most attempts include 91.245.255.98, 152.89.198.108, 199.47.92.216, and 192.241.217.237 among others.
- Attackers probe by making GET requests to autodiscover endpoints (e.g., /autodiscover/autodiscover.json) and incorporate Powershell into the request parameters.
- Common user-agents include Firefox on Windows, various MacOS and other tools (e.g., Nmap Scripting Engine, Fuzz Faster U Fool), indicating a mix of automated scanners and script-based tools.
- Exploitation can lead to remote code execution on vulnerable Exchange servers, but ProxyNotShell requires the attacker to be authenticated with a real email address to succeed.
- Threat activity is periodically updated in Wordfence’s IP Threat Feed (rce category) and can be monitored hourly as new IPs are observed.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The ProxyNotShell exploit is used against a vulnerable Exchange Server to achieve RCE. Quote: ‘the ProxyNotShell exploit used on a vulnerable Exchange server can lead to remote code execution.’
- [T1059.001] PowerShell – The exploit activity and payloads rely on PowerShell, as shown by query strings including ‘…&FooProtocol=Powershell HTTP/1.1’ and other references to PowerShell usage. Quote: ‘…FooProtocol=Powershell HTTP/1.1’
- [T1078] Valid Accounts – The vulnerability requires the attacker to be authenticated with a real email address to exploit ProxyNotShell. Quote: ‘ProxyNotShell requires the threat actor to be authenticated with a real email address in order to exploit the vulnerability.’
Indicators of Compromise
- [IP Address] context – 91.245.255.98, 152.89.198.108, and 18 more IPs in the top 20 list (attack sources)
- [IP Address] 192.241.192.0/19 CIDR range used by DigitalOcean hosts (attack infrastructure)
- [User-Agent] Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0, Fuzz Faster U Fool v1.5.0-dev
- [URL] /autodiscover/autodiscover.json?%40zdi%2FPowershell= HTTP/1.1, /autodiscover/autodiscover.json?a%40foo_var%2Fowa%2F=&Email=autodiscover%2Fautodiscover.json%3Fa%40foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1
Read more: https://www.wordfence.com/blog/2022/10/two-weeks-of-monitoring-proxynotshell-threat-activity/