As is known, Microsoft had reported multiple zero-day vulnerabilities and released patches for non-cloud versions of Exchange servers on March 2. Attacks that exploited the vulnerability began to be known as ProxyLogon, taking the name of the underlying vulnerability in the vulnerabilities.

The most common ProxyLogon attacks seen so far have involved webshells on exploited Exchange servers. However, by scanning these webshells, attackers have been able to deploy ransomware, cryptomining software, and other tools without any entry vectors. Once these webshells are installed on a vulnerable system, they can be activated at any time, even if patches have been passed. These webshells can be used by any attacker, as can be understood by the attacker who deployed them. This is no longer a state-backed attack type, as Microsoft initially stated.

Microsoft has reported a new ransomware threat targeting webshells. The new malware is reportedly called DearCry.

Microsoft has released an update to the Safety Scanner tool (MSERT) to act as a Security Scanner to scan and remove webshells from potentially affected servers. Use of this tool is recommended for detection and response.

Safety Scanner tool (MSERT)

There are also current symptoms at the end of the article.

Creating rules that include the necessary symptoms on the SIEM will allow for early detection of any activity that may occur due to these vulnerabilities.

If webshells are seen, it is recommended that an incident response plan be initiated immediately to detect data leakage, unauthorized account access, and horizontal spread.

Webshell File Paths:

C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthRedirSuiteServerProxy.aspx
C:inetpubwwwrootaspnet_clientsystem_webr1BMaJKT.aspx
C:inetpubwwwrootaspnet_clientsystem_web[RANDOM].aspx
C:inetpubwwwrootaspnet_clientsupp0rt.aspx
C:inetpubwwwrootaspnet_clientdiscover.aspx

Webshell File Names:

Regex: [0-9a-zA-Z]{8}.aspx
aspnet_client.aspx
aspnet_iisstart.aspx
aspnet_www.aspx
aspnettest.aspx
discover.aspx
document.aspx
error.aspx
errorcheck.aspx
errorEE.aspx
errorEEE.aspx
errorEW.aspx
errorFF.aspx
healthcheck.aspx
help.aspx
HttpProxy.aspx
Logout.aspx
MultiUp.aspx
one.aspx
OutlookEN.aspx
OutlookJP.aspx
OutlookRU.aspx
RedirSuiteServerProxy.aspx
shell.aspx
shellex.aspx
supp0rt.aspx
system_web.aspx
t.aspx
TimeoutLogout.aspx
web.aspx
web.aspx
xx.aspx

Related Suspicious Commands:

“cmd” /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web”&net group “Exchange Organization administrators” administrator /del /domain&echo [S]&cd&echo [E]
wmic /node:$NODE$ /user:$USER$ /password:$PASSWORD$ process call create “powershell -exec bypass -file c:programdatapayloadDns.ps1”
“cmd.exe” /c powershell -exec bypass -file c:programdatabot.ps1
net group “Exchange Servers” /DOMAIN
cmd /c start c:windowstempxx.bat
net group “Exchange Organization Administrators” /domain
dsquery server -limit 0
net group [REDUCATED] /domain
“cmd” /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web”&arp -a&echo [S]&cd&echo [E]
net use [REDUCATED] [PASSWORD] /user:[USER]
powershell.exe -PSconsoleFile “C:Program FilesMicrosoftExchange ServerV15Binexshell.psc1” -Command “.’C:windowshelphelp1.ps1′”
nltest /domain_trusts
“cmd” /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web”&wmic process call create “reg save hklmsam c:programdata$FILE_NAME$.log &echo [S]&cd&echo [E]