Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities.
GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange.
On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.
“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.
Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits.
Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell.
In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.
The fraudulent repositories did not include anything necessary, but the README.md confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days.
The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364.
Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit.
In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one.
Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit.
