Stay secure over the holidays with the ThreatLocker Lights-Out Checklist
Back to Blogs Back to Press Releases
ThreatLocker_Blog-_History_of_ProxyNotShell

The history of ProxyNotShell, the Microsoft vulnerability 

Table of Contents

TL;DR: ProxyNotShell, a Microsoft Exchange vulnerability, evolved from ProxyShell, causing significant cybersecurity issues. Despite patches, vulnerabilities persisted, leading to widespread exploitation. Businesses must prioritize patching, proactive security measures, and vigilance to mitigate such threats. 

Main Points: 

  1. Emergence: ProxyNotShell evolved from ProxyShell vulnerabilities discovered in 2021. 
  2. Vulnerabilities: CVE-2022-41040 and CVE-2022-41082 allowed significant exploitation. 
  3. Patches: Microsoft released patches, but gaps remained. 
  4. Current Threat: Many servers remain vulnerable due to ineffective mitigations. 
  5. Lessons: Emphasize timely patching, proactive measures, and continuous vigilance. 

 ProxyNotShell, a Microsoft Exchange vulnerability, has significantly impacted cybersecurity. 

Its discovery sparked an ongoing battle between Microsoft's patches and threat actors' exploitations. However, many businesses may not understand the long history of ProxyNotShell vulnerabilities and how they have evolved until this point.  

The Emergence of the ProxyNotShell Exploit 

ProxyNotShell starkly reminds us of the ever-present threat landscape in cybersecurity. To truly understand how it came to be, it is important to look back at a series of flaws known as ProxyShell.  

ProxyShell: The Original Vulnerabilities 

In 2021, a chain of vulnerabilities known as ProxyShell was identified. This critical vulnerability in Microsoft Exchange servers (2013, 2016, and 2019) allowed attackers to take control of the server remotely using a series of steps, even if they were not authorized users. 

The vulnerabilities were relatively easy to exploit to perform a Remote Code Execution (RCE) attack.  

The chain of three vulnerabilities included: 

  1. CVE-2021-34473: This vulnerability lets attackers bypass the lock (authentication) on the Microsoft Exchange server. 
  2. CVE-2021-34523: Once in, attackers could use this like a back door to steal information or sneak malware in. 
  3. CVE-2021-31207: Finally, this flaw allowed attackers to take complete control of the server. They could steal everything, change settings, or even use the server for more cyberattacks. 

When used together (ProxyShell), these three flaws gave attackers immense power. 

The ProxyShell Patch 

Microsoft released security updates to address ProxyShell in Exchange Servers (2013, 2016, and 2019) and emphasized the importance of keeping Exchange servers updated with the latest Cumulative Update and Security Update. However, this was not always followed, and attackers quickly targeted unpatched servers, highlighting the importance of timely updates. Furthermore, experts later discovered that the ProxyShell patches were only partially effective. 

ProxyNotShell Detection 

Fast-forward to August 2022. A cybersecurity company's Security Operations Center (SOC) noticed an attack on their Exchange servers that initially appeared as a new, unknown zero-day vulnerability. However, upon closer inspection, the attack requests resembled ProxyShell, raising suspicion. 

Further investigation revealed a surprising truth: the ProxyShell patches did not fully work. Attackers discovered ways to bypass the fixes, leading to a new set of vulnerabilities known as ProxyNotShell.  

It was not until September that these flaws were disclosed. 

What is ProxyNotShell? 

In October 2022, The Hacker News reported on a new exploit – ProxyNotShell. 

They explained that the exploit takes advantage of a chain of two Microsoft Server-Side Request Forgery (SSRF) vulnerabilities

  1. CVE-2022-41040: Allowed attackers with some level of access to manipulate the server into fetching information or performing actions on other internal systems or even external websites. 
  2. CVE-2022-41082: If attackers could leverage the SSRF vulnerability to gain a foothold, they could potentially exploit this RCE to execute malicious code on the server. Like ProxyShell, this meant attackers could steal data, disrupt operations, or launch further attacks within the network. 

The Significance of the ProxyNotShell Exploit 

The significance of ProxyNotShell lies in its potential for widespread damage.  

Unlike its predecessor ProxyShell, which didn't require any initial access, ProxyNotShell could be exploited by attackers who already had some level of access, however minimal. This could be a compromised user account, a phishing email campaign, or any other technique that grants a foothold within the system. 

The ease of exploitation and the potential consequences made ProxyNotShell a highly attractive tool for malicious actors. Ransomware gangs, nation-state attackers, and cybercriminals alike could target vulnerable Exchange servers worldwide, resulting in a significant number of breaches, data leaks, and disruptions for organizations across various sectors. 

The ProxyNotShell Patch 

Once these vulnerabilities were discovered, Microsoft scrambled to find a solution. One recommended ProxyNotShell mitigation technique they recommended was for users to apply URL Rewrite instructions for the Autodiscover endpoint. However, it was unknown how effective this was, and it was not a perfect solution. 

A month later, in November, Cybersecurity Dive reported that Microsoft finally released a security update for ProxyNotShell as part of its November "Patch Tuesday" release. By this time, Microsoft had confirmed that ProxyNotShell had been used in "limited, targeted attacks." 

Some were surprised that the ProxyNotShell patch was released as a traditional security update rather than an immediate hotfix.  

Where the ProxyNotShell Exploit Stands Today 

It is still relevant almost two years after the initial discovery of these vulnerabilities (and three years since the original ProxyShell). 

In January 2023, it was reported that "Approximately 60,000 IP addresses with internet-facing Exchange Server instances are still vulnerable to ProxyNotShell flaw CVE-2022-41082."  

TechTarget reports that this was largely due to a new exploit chain using one of the ProxyNotShell vulnerabilities. The new exploit chain, known as "OWASSRF" (Outlook Web Access Server-Side Request Forgery), allowed attackers to bypass Microsoft's URL Rewrite mitigations previously mentioned. It combined ProxyNotShell bug CVE-2022-41082 with elevation of privilege flaw CVE-2022-41080, which could be used to carry out ransomware attacks. 

This exploit proved dangerous because organizations that followed ProxyNotShell mitigations were unsafe. They may have been under the impression that a further patch was not necessary, leaving them vulnerable. 

The solution? Organizations were heavily encouraged to apply the November 2022 Patch Tuesday fix. 

Lessons Learned from ProxyNotShell Vulnerabilities 

The ProxyNotShell exploit serves as a wake-up call for the cybersecurity community. It highlights the importance of prompt patching, proactive security measures, and staying vigilant in the face of evolving threats. 

  • Prompt Patching: Microsoft released security patches to address both vulnerabilities soon after their discovery. However, organizations must prioritize patching. Without these patches, they are leaving their systems vulnerable.
    This emphasizes the need for a culture of security awareness within organizations. IT leaders should ensure timely updates for all software, especially critical systems like Exchange servers. 
  • Proactive Security Measures: Though patching is essential, it is not the end-all-be-all security measure. Organizations should implement additional security measures such as network segmentation, intrusion detection systems, and multi-factor authentication to reduce the risk of successful attacks, even when vulnerabilities exist.
    Many businesses face the issue of not knowing about a vulnerability until much later. This layered approach creates multiple hurdles for attackers, making it more difficult to exploit weaknesses. 
  • Staying Vigilant: The cybersecurity landscape is constantly evolving. New threats emerge, and attackers develop new techniques. Organizations must remain vigilant, monitoring their systems for suspicious activity and continuously updating their security posture.
    Threat intelligence and ongoing security awareness training for employees are crucial. 

The Evolving Threat Landscape: Looking Ahead 

The history of ProxyNotShell showcases attackers' potential for bypassing existing security measures. It reminds us that even seemingly patched vulnerabilities can be exploited, demanding a proactive and layered approach to cybersecurity. 

Organizations must prioritize a culture of security awareness. This includes continuous monitoring of threats and staying on top of the latest cybersecurity news. When new security updates are available, they should be implemented right away. 

Learn more about how ThreatLocker® can help organizations build a more resilient future against these ever-evolving threats. 

Take control of your organization's security

Request your 30-day trial to the entire ThreatLocker platform today.

Try ThreatLocker