Microsoft Exchange logo over red lines

Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities.

Last week, Vietnamese cybersecurity firm GTSC disclosed that some of their customers had been attacked using two new zero-day vulnerabilities in Microsoft Exchange.

Working with Trend Micro's Zero Day Initiative, the researchers disclosed the vulnerabilities privately to Microsoft, who confirmed that the bugs were being exploited in attacks and that they were working on an accelerated timeline to release security updates.

"Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft shared in an analysis of the attacks.

Security researchers are keeping the technical details of the vulnerabilities private, and it appears only a small number of threat actors are exploiting them.

Due to this, other researchers and threat actors are awaiting the first public disclosure of the vulnerabilities to use in their own activities, whether defending a network or hacking into one.

Scammers selling fake exploits

To take advantage of this lull before the storm, a scammer has begun creating GitHub repositories where they attempt to sell fake proof-of-concept exploits for the Exchange CVE-2022-41040 and CVE-2022-41082 vulnerabilities.

Huntress Lab's John Hammond has been following these scammers, finding five now-removed accounts attempting to sell the phony exploits. These accounts were under the names 'jml4da', 'TimWallbey', 'Liu Zhao Khin (0daylabin)', 'R007er', and 'spher0x.'

Another scam account found by Paulo Pacheco impersonated Kevin Beaumont (aka GossTheDog), a well-known security researcher/professional who has been documenting the new Exchange vulnerabilities and available mitigations.

Fake Kevin Beaumont account on GitHub
Fake Kevin Beaumont account on GitHub
Source: BleepingComputer

The repositories themselves don't contain anything of importance, but the README.md describes what is currently known about the new vulnerabilities, followed by a pitch on how they are selling one copy of a PoC exploit for the zero days.

"This means it can go unnoticed by the user and potentially by the security team as well. Such a powerfull tool should not be fully public, there is strictly only 1 copy available so a REAL researcher can use it: https://satoshidisk.com/pay/xxx," reads the text in the scam repository.

A portion of the READMEmd in the GitHub repositories
A portion of the READMEmd in the GitHub repositories
Source: BleepingComputer

The README files contain a link for a SatoshiDisk page where the scammer is attempting to sell the fake exploit for 0.01825265 Bitcoin, worth approximately $420.00.

SatoshiDisk page for scam
Source: BleepingComputer

These vulnerabilities are worth far more than $400, with Zerodium offering at least $250,000 for Microsoft Exchange remote code execution zero days.

It should go without saying that this is just a scam, and sending any bitcoin will likely not result in you receiving anything.

Furthermore, with all the information already available, figuring out an exploit for the bugs is likely not going to be too difficult, especially for more advanced threat actors, such as state-sponsored hackers who would have an incentive to breach organizations of interest.

Related Articles:

ScreenConnect critical bug now under attack as exploit code emerges

Exploit released for Fortinet RCE bug used in attacks, patch now

Over 28,500 Exchange servers vulnerable to actively exploited bug

Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws

Hackers earn $1,132,500 for 29 zero-days at Pwn2Own Vancouver