- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising databases allegedly belonging to Shodan, Censys, and Zoomeye.
- The threat actor claims that the IP addresses of these companies' systems have unpatched MS Exchange Servers that are vulnerable to Proxy Shell.
- The CloudSEK Threat Intelligence Research team is validating the authenticity of this post.
Information from SourceThe threat actor published a post on the cybercrime forum sharing a list of ~100,000 targets. The actor claims that 18% of Microsoft Exchange servers are vulnerable to ProxyShell, while 40% are vulnerable to CVE-2021-31206 to which Microsoft has assigned name as Microsoft Exchange Server Remote Code Execution Vulnerability. The threat actor claims to have collected a list of vulnerable systems from the following companies:
- Shodan: a search engine that lets the user find specific types of systems connected to the internet using a variety of filters.
- Censys: a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.
- Zoomeye: cyberspace mapping and search engine.
|Country||No. of Targets||Country||No. of Targets|
|United States||28,029||Hong Kong||869|
|Czech Republic||1164||South Africa||406|
|ProxyLogon Chain Vulnerabilities||ProxyShell Chain Vulnerabilities|
- The actor has a high reputation on the forum.
- The information shared by the actor seems logical and consistent.
- Most of the databases the actor has shared in the past are legitimate leaks.
- The reliability of the actor can be rated Usually Reliable (B).
- The credibility of the advertisement can be rated Possibly True (2).
Impact & Mitigation