ProxyNotShell | Breaking Cybersecurity News | The Hacker News

A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of tactical overlap with clusters tracked under the monikers Earth Estries and Salt Typhoon. The attack paves the way for the deployment of two distinct backdoors across three separate waves: Deed RAT (aka Snappybee), a successor of ShadowPad that's used by multiple China-nexus espionage groups, and TernDoor , which was recently discovered in attacks targeting telecommunications infrastructure in South America since 2024. What's notable about the campaign is that it repeatedly leveraged the same vulnerable Microsoft Exchange Server entry point despite several remediation att...

Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access ( OWA ). "The new exploit method bypasses  URL rewrite mitigations  for the  Autodiscover endpoint ," CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio  said  in a technical write-up published Tuesday. Play ransomware, which first surfaced in June 2022, has been  revealed  to adopt many tactics employed by other ransomware families such as  Hive  and  Nokoyawa , the latter of which  upgraded to Rust  in September 2022. The cybersecurity company's investigations into several Play ransomware intrusions found that initial access to the target environments was not achieved by directly exploiting  CVE-2022-41040 , but rather through the OWA endpoi...

Microsoft has updated its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed. The two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed  ProxyNotShell  due to similarities to another set of flaws called  ProxyShell , which the tech giant resolved last year. In-the-wild attacks abusing the  shortcomings  have chained the two flaws to gain remote code execution on compromised servers with elevated privileges, leading to the deployment of web shells. The Windows maker, which is yet to release a fix for the bugs, has acknowledged that a single state-sponsored threat actor may have been weaponizing the flaws since August 2022 in limited targeted attacks. In the meantime, the company has made available temporary workarounds to reduce the risk of exploitation by restricting known attack patterns through a rule in the IIS Man...

Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers. Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities - CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 – to permit a remote actor to execute arbitrary code. Despite the potential severity of attacks using them, ProxyShell vulnerabilities are still on CISA’s list of top 2021 routinely exploited vulnerabilities. Meet ProxyNotShell  Recorded on September 19, 2022, CVE-2022-41082 is an attack vector targeting Microsoft’s Exchange Servers, enabling attacks of low complexity with low privileges required. Impacted services, if vulnerable, ena...