Issue

• ProxyLogon and ProxyShell exploits
• This threat affects users of Microsoft Exchange Server versions 2010, 2013, 2016, and 2019
• Hafnium
• Your ESET security product detects the following threat:
  • JS/Exploit.CVE-2021-26855.Webshell.A
  • JS/Exploit.CVE-2021-26855.Webshell.B
  • ASP/Webshell
  • ASP/ReGeorg
• Install the Microsoft security patch
• Keep ESET LiveGrid enabled
• Minimize the risk of malware attack
• WeLiveSecurity blog post

Solution

ProxyLogon and ProxyShell exploits

Both ProxyLogon and ProxyShell have been seen and used by different criminal groups like Hanium or BlackByte ransomware. Both were also used to perform Business Email Compromises (BEC) to send malicious emails from compromised exchange servers.

While ESET software can detect this attack, patches for both ProxyLogon and ProxyShell should be applied to all exchange servers to prevent the risk of exploitation.

ProxyLogon exploit:

• CVE-2021-26855

ProxyShell exploit:

• CVE-2021-34473
• CVE-2021-34523
• CVE-2021-31207

Microsoft security patch

After exploiting vulnerabilities to gain initial access, operators (for example, HAFNIUM) deploy web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. See more technical information and attack details on HAFNIUM. 

The detection for the web shells and backdoors used within this attack chain appears as:

• JS/Exploit.CVE-2021-26855.Webshell.A
• JS/Exploit.CVE-2021-26855.Webshell.B
• ASP/Webshell
• ASP/ReGeorg

The Microsoft Exchange server remote code execution vulnerabilities are:

• CVE-2021-26855 (the most common)
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

Read more about Microsoft Exchange vulnerabilities discovered and exploited in-the-wild. ESET strongly advises installing the Microsoft security update immediately.

To ensure the highest level of security, we recommend that you are always on the latest version of your ESET product: Check for the latest version of your ESET business products

Keep ESET LiveGrid enabled

In some cases, your ESET product with ESET LiveGrid enabled may respond faster to new threats than modules updates.

Learn more about ESET LiveGrid and make sure it is enabled in your ESET product.

Minimize the risk of malware attack

What can I do to minimize the risk of a malware attack?

• Back up your important data 
• Do not change default settings
• Download security patches

WeLiveSecurity blog post

To learn more about how you can protect your system from this exploit, we recommend that you read the following ESET blog post:

• Microsoft rushes out fixes for four zero-day flaws in Exchange Server
• Exchange servers under siege from at least 10 APT groups

To see a list of all ESET security articles related to zero-day attacks, see zero-day attacks.