![]() Initially, the attacks on Exchange servers were attributed to the Hafnium threat group however, Microsoft later observed the targeting of unpatched systems by multiple threat groups.Ī joint report last week by Kryptos Logic and the Shadow Server Foundation, a nonprofit infosec organization, analyzed data from an Exchange server scan and addressed possible attackers. It is unclear which attackers or how many attackers are behind the detected web shells. According to a blog post by Microsoft, "web shells potentially allow attackers to steal data and perform additional malicious actions to further compromise." On Monday, Microsoft Security Response Center tweeted that "92% of worldwide Exchange internet protocols (IPs) were now patched or mitigated." But the recent scan by Kryptos Logic shows a significant number of organizations may be infected with backdoors. Though Microsoft released patches and recommended that customers apply the updates to affected systems immediately, a wide scope of victims was still impacted, and web shells can give threat actors access to Exchange servers even after they've been patched. ![]() The attackers placed web shells inside victims' networks to be used as backdoors. On March 2, Microsoft reported that a Chinese APT group known as Hafnium exploited the four zero-day vulnerabilities to attack on-premises versions of its Exchange email servers. "Please patch and run Microsoft's MSERT tool to clean up any webshells," Kryptos Logic wrote on Twitter. The company said on Twitter that it scanned 250,000 unique IP addresses and found 29,796 vulnerable Exchange servers, along with 97,827 shells across 15,150 IP addresses. Threat intelligence vendor Kryptos Logic said Tuesday that it found nearly 100,000 active web shells during internet scans of ProxyLogon, the most serious of four vulnerabilities in Microsoft's Exchange Server software disclosed earlier this month.
0 Comments
Leave a Reply. |