Cybercriminals were seen impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly identified zero-days in Microsoft Exchange Server.
Fake exploits on GitHub
Microsoft and GTSC revealed that scammers have jumped on the bandwagon to abuse Exchange flaws by creating GitHub repositories for fake exploits.
The fake proof-of-concept targets Exchange bugs CVE-2022-41040 and CVE-2022-41082.
Researchers witnessed at least five fake accounts promoting it.
Impersonation tactic for fake exploits
In an instance, a hacker impersonated well-known security researcher Kevin Beaumont (aka GossTheDog) known for documenting the newly disclosed Exchange flaws and available mitigations.
The fake repositories did not include anything important, though a README[.]md describes details about new flaws, with an offer attempting to sell only a single copy of a PoC exploit.
The README files include a link to a SatoshiDisk page where the fraudster is trying to sell the fake exploit.
The exploit is offered at 0.01825265 Bitcoin worth approximately $364.
Conclusion
Ramping up exploits for unpatched bugs is not a new phenomenon. Skilled threat actors, such as APT groups and nation-sponsored attackers, will always be quick to jump in with scams around it. Stay ahead of threats and related updates by subscribing to our threat intel newsletters.