Both ProxyLogon and ProxyShell have been seen and used by different criminal groups like Hanium or BlackByte ransomware. Both were also used to perform Business Email Compromises (BEC) to send malicious emails from compromised exchange servers.
While ESET software can detect this attack, patches for both ProxyLogon and ProxyShell should be applied to all exchange servers to prevent the risk of exploitation.
ProxyLogon exploit:
ProxyShell exploit:
After exploiting vulnerabilities to gain initial access, operators (for example, HAFNIUM) deploy web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. See more technical information and attack details on HAFNIUM.
The detection for the web shells and backdoors used within this attack chain appears as:
The Microsoft Exchange server remote code execution vulnerabilities are:
Read more about Microsoft Exchange vulnerabilities discovered and exploited in-the-wild. ESET strongly advises installing the Microsoft security update immediately.
To ensure the highest level of security, we recommend that you are always on the latest version of your ESET product: Check for the latest version of your ESET business products
In some cases, your ESET product with ESET LiveGrid enabled may respond faster to new threats than modules updates.
Learn more about ESET LiveGrid and make sure it is enabled in your ESET product.
What can I do to minimize the risk of a malware attack?
To learn more about how you can protect your system from this exploit, we recommend that you read the following ESET blog post:
To see a list of all ESET security articles related to zero-day attacks, see zero-day attacks.