Scammers selling bogus Microsoft Exchange exploits on GitHub
Malicious actors are pretending to be security researchers and selling phoney proof-of-concept ProxyNotShell exploits for recently discovered zero-day flaws in Microsoft Exchange.
According to a Bleeping Computer report, a scammer has started creating GitHub repositories through which they are trying to sell fake proof-of-concept exploits for the vulnerabilities.
The flaws — tracked as CVE-2022-41040 and CVE-2022-41082 — were disclosed last week after the Vietnamese cybersecurity firm GTSC first spotted the vulnerabilities in August 2022.
According to cybersecurity researcher John Hammond, who has been tracking the scammers, five now-removed GitHub accounts were attempting to sell the fake exploits.
He noted that a sixth was still active and is impersonating cybersecurity researcher Kevin Beaumont, who has been documenting the flaws and available workarounds.
Bleeping Computer reported that the repositories themselves aren’t important.
However, the README.md file included in the repositories provides details on what is currently known about the flaws, followed by a sales pitch.
Via: Bleeping Computer
“This means it can go unnoticed by the user and potentially by the security team as well,” it reads.
“Such a powerfull [sic] tool should not be fully public, there is strictly only 1 copy available so a REAL researcher can use it: https://satoshidisk.com/pay/xxx.”
After that, it specifies that readers must not resell or leak the proof-of-concept as that would put them “at risk of breaking the law”.
According to GTSC, exploiting the vulnerabilities could help malicious actors access Microsoft Exchange server systems to drop web shells and carry out lateral movements across the compromised network.
“We detected webshells, mostly obfuscated, being dropped to Exchange servers,” it said.
“Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based open source cross-platform website administration tool that supports web shell management.”
Now read: Activision Blizzard hit by DDoS attack on Overwatch 2 launch day
Loading ...