Over 60,000 Microsoft Exchange servers still unpatched against ProxyNotShell exploits

Security researchers with the Shadowserver Foundation announced that 60,865 Microsoft Exchange servers have not yet been patched to defend against the CVE-2022-41082 remote code execution flaw, reports BleepingComputer. This number is down from 83,946 instances recorded in mid-December. The vulnerability and one other, identified as CVE-2022-41040, are collectively called ProxyNotShell, and allow threat actors to escalate privileges on servers they have successfully compromised, up to securing arbitrary or remote code execution. A patch to address the flaws was released by Microsoft in November. Mitigation measures provided earlier are becoming less effective, raising the importance of fully patching the servers. For example, a new exploit chain is currently active and works by bypassing ProxyNotShell URL rewrite mitigations to achieve remote code execution on vulnerable servers via Outlook Web Access. Various cybercrime groups have jumped at the opportunity, including the FIN7 cybercrime organization, which created Checkmarks, a custom auto-attack platform designed to breach lucrative Exchange servers by scanning for related vulnerabilities. More than 8,000 organizations have already been infiltrated by the platform, with 16.7% located in the U.S., according to threat intelligence firm Prodaft.