ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America

July 5, 2024, 4:21 p.m.

Description

This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sensitive communications, targeting specific offices in Afghanistan, Laos, Georgia, and Argentina. The findings underscore the persistent threat posed by unpatched vulnerabilities and the adaptability of malicious actors in achieving their objectives.

External References

https://hunt.io/blog/proxylogon-and-proxyshell-used-to-target-government-mail-servers-in-asia-europe-and-south-america
https://otx.alienvault.com/pulse/66880b4917302feb0606d9e5
Tags
python
powershell
CVE-2021-34473
2024-07-05
proxyshell
CVE-2021-31207
CVE-2021-34523
microsoft exchange

Date

  • Created: July 5, 2024, 3:03 p.m.
  • Published: July 5, 2024, 3:03 p.m.
  • Modified: July 5, 2024, 4:21 p.m.

Indicators

  • f527ea33f22293d99a5687fc13595c84830d6f2c52add1f08e49fbf607458251
  • 934e9336d45771a74de544be31e3dc8ec624891c5fc95a36d9ec124b39c4e5c7
  • 016344d35f6f217f9f8b483dacb8154b45139355bcc45a3f94910351b5df42b5
  • 4ad4d5edd434f8269cdf5511667364962dff7f2535ae13cd8102c6acde061a19
Download all indicators here!

Attack Patterns

  • T1009
  • T1585
  • T1537
  • T1550
  • T1064
  • T1567
  • T1213
  • T1114
  • T1087
  • T1082
  • T1083
  • T1071
  • T1020
  • T1040
  • T1053
  • T1190
  • T1078
  • T1059

Additional Informations

  • Government
  • Georgia
  • Lao People's Democratic Republic
  • Argentina