ProxyNotShell Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/proxynotshell/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 12 Apr 2023 23:53:08 +0000 en-US hourly 1 https://wordpress.org/?v=95826 200474804 Top 3 Vulnerabilities of 2023: How to Block and Prevent https://gridinsoft.com/blogs/top-3-vulnerabilities-block-prevent/ https://gridinsoft.com/blogs/top-3-vulnerabilities-block-prevent/#respond Fri, 07 Apr 2023 18:14:59 +0000 https://gridinsoft.com/blogs/?p=14091 Any successful cyber attack begins with penetrating the target network. Cybercriminals must overcome network defenses, whether it’s a stealer, ransomware, or other malware. According to an expert report, in 2022, 50% of successful infiltrations were performed using previously known vulnerabilities. Top Vulnerabilities 2023 According to the cybersecurity report in 2023, the previously known vulnerabilities reported… Continue reading Top 3 Vulnerabilities of 2023: How to Block and Prevent

The post Top 3 Vulnerabilities of 2023: How to Block and Prevent appeared first on Gridinsoft Blog.

]]>
Any successful cyber attack begins with penetrating the target network. Cybercriminals must overcome network defenses, whether it’s a stealer, ransomware, or other malware. According to an expert report, in 2022, 50% of successful infiltrations were performed using previously known vulnerabilities.

Top Vulnerabilities 2023

According to the cybersecurity report in 2023, the previously known vulnerabilities reported over the past three years may cause concern again. Thus, in 24 percent of all cyberattacks, cybercriminals used vulnerabilities known in 2022. In second place are vulnerabilities known in 2021, accounting for 18%. That, by the way, totally repels any opinion that claims uselessness of updating and using security tools. Having all of that onboard, you will cut off over 40% of all possible attack vectors. But now, let’s have a peek into the most widespread exploits.

ProxyShell

ProxyShell, known as CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, and CVSS severity rating of 3.1, is a chain of attacks that exploits three vulnerabilities in Microsoft Exchange Server – ProxyShell, ProxyLogon, and ProxyNotShell. Using these vulnerabilities, attackers who are not authenticated can remotely execute code on vulnerable servers. Although these vulnerabilities were discovered and patched in 2021, they are still the most exploited and often lead to significant security breaches.

ProxyShell
The Exchange Server exploit chain

Follina in Microsoft Office

Recently, Microsoft has disabled the ability to execute macros in documents from external sources by default. However, attackers have not stopped them, and they use special .docx and .rtf documents to download and execute malicious code. To do this, they exploit the Follina vulnerability (CVE-2022-30190 and CVSS severity rating of 7.8) in unpatched systems to deploy Qbot or other Remote Access Trojans. It allows malicious code to run even if macros are disabled or the document is protected, making Follina one of the most commonly used vulnerabilities discovered in 2022.

Follina
The general idea of Follina exploit mechanism.

Fortinet

Two critical bugs were reported in Fortinet products in October and December 2022 (CVSS score: 9.6 and 9.3). These bugs allow attackers who fail authentication to execute arbitrary code using specially crafted queries. However, even though the company has issued updates and CISA has warned of significant risk to federal organizations, as of early 2023, 18% of organizations were victims of the CVE-2022-40684 vulnerability exploit attack.

Causes

Experts note that attackers often exploit Remote Code Execution (RCE) vulnerabilities and Remote Desktop Protocol services left open to gain access to the network and deploy malicious code. However, many organizations do not use protections on servers for fear of performance degradation. Moreover, security and network equipment vendors often use admin/password as the default login combination. Even worse, some users keep this combination the same the first time they configure it, which makes life easier for an intruder.

How to prevent

Fortunately, you can fix that. Therefore, I’ve put together some tips below that you can follow to reduce the chance of negative consequences:

Top 3 Vulnerabilities of 2023: How to Block and Prevent

  • Install the latest updates. Since Microsoft regularly releases patches vulnerabilities as part of its monthly security updates, we strongly recommend that you do not ignore these updates. This also applies to other products like Microsoft Office and Fortinet software.
  • Change server settings. To restrict access to Exchange virtual directories, you can change server settings to limit access to virtual directories from the internal network only.
  • Review the audit log. This will help you detect attempted attacks and take quick action to prevent them. Also, ensure that the audit logs are correctly configured to record enough information about events on the server.
  • Train your employees. Educating users on security fundamentals is equally important, such as recognizing phishing and never opening suspicious links or email attachments. It’s also important not to share sensitive data upon request.
  • Implement strict security policies and enforce them. This may include prohibiting using personal devices for work, including smartphones, tablets, and laptops unless they meet your security standards.
  • Limit access to the configuration interface to only authenticated users with the necessary permissions. It will help prevent unauthorized access to the device settings.
  • Use additional security measures such as multi-factor authentication (MFA) to protect access to the device. This will add an extra layer of security.
  • Use solutions like Secure Access Service Edge (SASE). SASE allows multiple security features such as authentication, authorization, threat protection, and network and application access features such as virtual private networks (VPNs) and routing to combine into a single system to provide more effective and convenient security for the corporate network.

Conclusion

In the digital age, the security of software applications and systems has become increasingly crucial as malicious actors constantly look for vulnerabilities to exploit. News of cyberattacks is in the spotlight, and the severity of attacks continues to grow, so everyone needs to strengthen their organization’s security through education, awareness, and training. Cybersecurity threats permeate new environments as technology evolves, but many threats will remain the same. Therefore, continuous assessment of processes, people, and systems is necessary for organizations to be prepared and operationally resilient. By using the knowledge of ethical hackers, conducting regular testing, and using automation, organizations can be better ready for potential threats.

The post Top 3 Vulnerabilities of 2023: How to Block and Prevent appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/top-3-vulnerabilities-block-prevent/feed/ 0 14091
Exploit for Vulnerabilities ProxyNotShell Appeared on the Network https://gridinsoft.com/blogs/exploit-for-proxynotshell-vulnerabilities/ https://gridinsoft.com/blogs/exploit-for-proxynotshell-vulnerabilities/#respond Wed, 23 Nov 2022 09:45:06 +0000 https://gridinsoft.com/blogs/?p=12180 Experts warned that an exploit for two high-profile vulnerabilities in Microsoft Exchange, which are collectively called ProxyNotShell, has appeared in the public domain. Vulnerabilities have been used by hackers before, but now there may be more attacks. Initially, ProxyNotShell problems (CVE-2022-41040 and CVE-2022-41082) were discovered in September by analysts from the Vietnamese company GTSC. Let… Continue reading Exploit for Vulnerabilities ProxyNotShell Appeared on the Network

The post Exploit for Vulnerabilities ProxyNotShell Appeared on the Network appeared first on Gridinsoft Blog.

]]>
Experts warned that an exploit for two high-profile vulnerabilities in Microsoft Exchange, which are collectively called ProxyNotShell, has appeared in the public domain.

Vulnerabilities have been used by hackers before, but now there may be more attacks.

Initially, ProxyNotShell problems (CVE-2022-41040 and CVE-2022-41082) were discovered in September by analysts from the Vietnamese company GTSC. Let me remind you that the bugs affected Microsoft Exchange Server 2013, 2016 and 2019 and allowed attackers to elevate privileges to run PowerShell in the system context, as well as achieve remote code execution on a compromised server.

As Microsoft soon confirmed, hackers have already exploited these problems. Experts wrote that at least one group used bugs against about 10 companies around the world.

Let me remind you that we also reported that US and UK accused China for attacks on Microsoft Exchange servers.

The interest in ProxyNotShell turned out to be so great that experts kept almost all the technical details of the vulnerabilities secret (so that even more attackers would not exploit them). However, scammers did not fail to take advantage of this situation and started selling fake exploits for ProxyNotShell online.

Now, after the vulnerabilities have finally been fixed (with the release of the November updates), the information security researcher known by the nickname Janggggg has published a PoC exploit that the attackers used to attack Exchange servers in the public domain.

The authenticity and operability of this exploit has already been confirmed by a well-known information security specialist and analyst at ANALYGENCE, Will Dormann. He said that the exploit works against systems running Exchange Server 2016 and 2019, but the code needs some work before attacks on Exchange Server 2013.

Exploit for ProxyNotShell vulnerabilities

Exploit for ProxyNotShell vulnerabilities

According to researchers at Greynoise, who have been tracking ProxyNotShell usage since late September, the vulnerabilities are still being attacked, and there may be more of them after the exploit is published.

Exploit for ProxyNotShell vulnerabilities

Let me remind you that attackers use bugs to deploy China Chopper web shells on compromised servers in order to gain a foothold in the system, steal data, and also organize lateral movement in the networks of victims.

The post Exploit for Vulnerabilities ProxyNotShell Appeared on the Network appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/exploit-for-proxynotshell-vulnerabilities/feed/ 0 12180