It doesn’t just have to be the original attacker who put it there. “Even more concerning is that anybody can come along and use them. “These web shells are dangerous because they can be activated at any time after they’ve been installed, even on a subsequently patched system,” said Mat Gangwer senior director of Sophos Managed Threat Response (MTR). However, as the news of the zero-days spread, opportunistic malicious actors have begun scanning for those web shells because finding one can be a shortcut to deploying ransomware or cryptominers, or launching other attacks, all without needing to go through the trouble of finding a way into a network. The common form of ProxyLogon attacks seen so far includes vulnerable Exchange Servers being exploited and web shells dropped on those servers. The exploitations seen in the wild were first attributed to a nation state actor dubbed Hafnium, but the vulnerabilities and attacks have colloquially become known as “ProxyLogon” in reference to the main vulnerability of the zero-days involved. The recently reported collection of Microsoft Exchange Server zero-day vulnerabilities has rocked the infosec world, impacting tens of thousands of organizations around the world, with some estimates exceeding 100,000 and growing by the day.
0 kommentar(er)
