[KB7855] Does ESET protect me from the ProxyLogon and ProxyShell exploits?

Issue

Solution

ProxyLogon and ProxyShell exploits

Both ProxyLogon and ProxyShell have been seen and used by different criminal groups like Hanium or BlackByte ransomware. Both were also used to perform Business Email Compromises (BEC) to send malicious emails from compromised exchange servers.

While ESET software can detect this attack, patches for both ProxyLogon and ProxyShell should be applied to all exchange servers to prevent the risk of exploitation.

ProxyLogon exploit:

ProxyShell exploit:


Microsoft security patch

After exploiting vulnerabilities to gain initial access, operators (for example, HAFNIUM) deploy web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. See more technical information and attack details on HAFNIUM

The detection for the web shells and backdoors used within this attack chain appears as:

  • JS/Exploit.CVE-2021-26855.Webshell.A
  • JS/Exploit.CVE-2021-26855.Webshell.B
  • ASP/Webshell
  • ASP/ReGeorg

The Microsoft Exchange server remote code execution vulnerabilities are:

Read more about Microsoft Exchange vulnerabilities discovered and exploited in-the-wild. ESET strongly advises installing the Microsoft security update immediately.

To ensure the highest level of security, we recommend that you are always on the latest version of your ESET product: Check for the latest version of your ESET business products


Keep ESET LiveGrid enabled

In some cases, your ESET product with ESET LiveGrid enabled may respond faster to new threats than modules updates.

Learn more about ESET LiveGrid and make sure it is enabled in your ESET product.


Minimize the risk of malware attack

What can I do to minimize the risk of a malware attack?

  • Back up your important data 
  • Do not change default settings
  • Download security patches

WeLiveSecurity blog post

To learn more about how you can protect your system from this exploit, we recommend that you read the following ESET blog post:

To see a list of all ESET security articles related to zero-day attacks, see zero-day attacks