Active Targets for ProxyLogon Vulnerability Shared on Cybercrime Forum

Summary

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising Active Targets for ProxyLogon Vulnerability databases allegedly belonging to Shodan, Censys, and Zoomeye.

Category Vulnerability Advisory
Affected Industries Multiple
Affected Region Global
Source * B2
TLP # GREEN
Reference *Intelligence source and information reliability - Wikipedia # Traffic Light Protocol - Wikipedia

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising databases allegedly belonging to Shodan, Censys, and Zoomeye.
  • The threat actor claims that the IP addresses of these companies’ systems have unpatched MS Exchange Servers that are vulnerable to Proxy Shell.
  • The CloudSEK Threat Intelligence Research team is validating the authenticity of this post.

Threat actor’s post on the cybercrime forum

Analysis

Information from Source

The threat actor published a post on the cybercrime forum sharing a list of ~100,000 targets. The actor claims that 18% of Microsoft Exchange servers are vulnerable to ProxyShell, while 40% are vulnerable toCVE-2021-31206to which Microsoft has assigned name asMicrosoft Exchange Server Remote Code Execution Vulnerability.The threat actor claims to have collected a list of vulnerable systems from the following companies:

  • Shodan: a search engine that lets the user find specific types of systems connected to the internet using a variety of filters.
  • Censys: a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.
  • Zoomeye: cyberspace mapping and search engine.

As per the list shared by the threat actor ~100,000 targets are vulnerable to the ProxyLogon vulnerability. And the files shared by the actor are in the .csv format and contain multiple data fields such as Target Domain, Service Provider, Country, etc. Top countries impacted are:

image

Source Rating

  • The actor has a high reputation on the forum.
  • The information shared by the actor seems logical and consistent.
  • Most of the databases the actor has shared in the past are legitimate leaks.

Hence,

  • The reliability of the actor can be rated Usually Reliable (B).
  • The credibility of the advertisement can be rated Possibly True (2).

Giving overall source credibility of B2 .

Impact & Mitigation

image

1 Like