After exploiting vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.
For more details, see ESET Customer Advisory.
ESET software can detect and block the web shell used for remote code execution.
The detection for the web shells and backdoors used within this attack chain appears as:
The Microsoft Exchange server remote code execution vulnerabilities are:
ESET strongly advises installing the Microsoft security update immediately.
To ensure the highest level of security, we recommend that you are always on the latest version of your ESET product: Check for the latest version of your ESET business products
In some cases, your ESET product with ESET LiveGrid enabled may respond faster to new threats than modules updates.
To learn more about how you can protect your system from this exploit, we recommend that you read the following ESET blog post:
To see a list of all ESET security articles related to zero-day attacks, see zero-day attacks.