More than 60,000 Microsoft Exchange Servers remain unpatched and vulnerable against the so-called ProxyNotShell vulnerability, it has been revealed. Exchange Server vulnerabilities are popular among criminal gangs, and security agencies have released strict guidelines for implementing patches or separating the servers from the internet to try to counter potential attacks.
Data released this week by the ShadowServer Foundation, a non-profit focusing on internet security, found that 60,865 servers have not yet been patched against the vulnerability, which was discovered last year.
How ProxyNotShell impacts Microsoft Exchange servers
ProxyNotShell is the name given to two specific Microsoft Exchange server vulnerabilities, CVE-2022-41082 and CVE-2022-41040. These exploits affect Exchange Servers 2013, 2016 and 2019 and, once deployed, enable attackers to carry out remote code execution on compromised systems.
Microsoft released patches for the ProxyNotShell vulnerabilities in November, but many companies have been slow to implement the security measures, despite Microsoft stating at the time that it “recommends that customers protect their organisations by applying the updates immediately to affected systems”.
Hacking gangs Play, LockBit and BlackCat are among those known to have taken advantage of the vulnerability. Play uses Microsoft Exchange Server vulnerabilities as a leading technique of intrusion, according to security company Crowdstrike. While investigating Play’s attack tactics, researchers found Microsoft Exchange servers were exploited almost every time. “It appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange,” the Crowdstrike report says.
US cybersecurity agency CISA, its UK equivalent the National Cyber Security Centre (NCSC), and the FBI, have all released guidance urging companies to keep Microsoft Exchange server patches up to date to guard against exploitation of vulnerabilities such as ProxyNotShell.
“If organisations cannot install the updates or apply any of the mitigations the NCSC recommends isolating the exchange server from the internet,” NCSC guidance says.
Rackspace hack highlights vulnerability of Microsoft Exchange servers
Meanwhile other vulnerabilities in Microsoft Exchange have also proved problematic for businesses. The recent attack on Rackspace was perpetrated by Play, and left users of Rackspace’s managed Microsoft Exchange environment without access to their emails. Karen O’Reilly-Smith, Rackspace’s chief security officer, explained that the attack was linked to a zero-day exploit associated with CVE-2022-41080.
The incident was first announced on 2 December last year, and the company is still working through returning lost data to customers impacted by the attack.
“Microsoft disclosed CVE-2022-41080 as privilege escalation vulnerability, and did not include notes for being part of a Remote Code Execution chain that was exploitable,” O’Reilly-Smith said.