Nearly 100,000 web shells detected on Exchange servers
Although Microsoft reported a decrease in the number of vulnerable Exchange servers, new research shows a large amount of malicious web shells hiding inside networks.
While the number of Microsoft Exchange Servers vulnerable to ProxyLogon may be decreasing, new research has shown a large number of malicious web shells lurking inside organizations.
Threat intelligence vendor Kryptos Logic said Tuesday that it found nearly 100,000 active web shells during internet scans of ProxyLogon, the most serious of four vulnerabilities in Microsoft's Exchange Server software disclosed earlier this month. The company said on Twitter that it scanned 250,000 unique IP addresses and found 29,796 vulnerable Exchange servers, along with 97,827 shells across 15,150 IP addresses.
"Please patch and run Microsoft's MSERT tool to clean up any webshells," Kryptos Logic wrote on Twitter.
On March 2, Microsoft reported that a Chinese APT group known as Hafnium exploited the four zero-day vulnerabilities to attack on-premises versions of its Exchange email servers. The attackers placed web shells inside victims' networks to be used as backdoors. Though Microsoft released patches and recommended that customers apply the updates to affected systems immediately, a wide scope of victims was still impacted, and web shells can give threat actors access to Exchange servers even after they've been patched.
On Monday, Microsoft Security Response Center tweeted that "92% of worldwide Exchange internet protocols (IPs) were now patched or mitigated." But the recent scan by Kryptos Logic shows a significant number of organizations may be infected with backdoors. According to a blog post by Microsoft, "web shells potentially allow attackers to steal data and perform additional malicious actions to further compromise."
It is unclear which attackers or how many attackers are behind the detected web shells. Initially, the attacks on Exchange servers were attributed to the Hafnium threat group; however, Microsoft later observed the targeting of unpatched systems by multiple threat groups.
A joint report last week by Kryptos Logic and the Shadow Server Foundation, a nonprofit infosec organization, analyzed data from an Exchange server scan and addressed possible attackers. "Mass attacks have been widely reported to be now being performed by multiple threat actor groups, so this data is not being attributed to the HAFNIUM threat actor group," the report said.
The report was based off data from a Kryptos Logic scan done on March 13 to detect web shells that were "likely dropped by exploitation" of the four vulnerabilities in Microsoft Exchange Server. According to the report, "the total dataset distributed to 120 National CSIRTs [computer security incident response teams] in 148 countries and over 5900 network owners covers 6720 unique web shell URL paths corresponding to 5818 unique IP addresses were assessed on March 13 as being compromised Microsoft Exchange Servers with active web shells on common URL paths."
Like Kryptos Logic, the Shadow Server Foundation also recommended remediation.
"Anyone with the simple, easy to guess URL for any of these web shells could potentially compromise more of your infrastructure. We strongly encourage network owners and National CERT/CSIRTs urgently remediate and patch/rebuild all impacted victim systems immediately," the report said.
Kryptos Logic is not the first vendor to observe an increase in web shells. In a blog post Feb. 27, Rapid7 said it began to detect a "notable" increase in attacks on Microsoft Exchange Server installations involving a malicious web shell known as "China Chopper," which is popular among Chinese threat actors.