ProxyShell & Web Shells

  |  Source: 
Information & Technology

ProxyShell & Web Shells

Mandiant investigations continue to identify exploitation of Microsoft Exchange vulnerabilities as recently as November 2021, with estimates of up to 30,0000 internet-facing servers vulnerable. Threat actor exploits of these vulnerabilities have slightly shifted, "most notably, the writing of web shells via export of exchange certificate requests instead of mailbox exports, and exploitation of the first two vulnerabilities in the exploit chain only to achieve remote PowerShell and create new mailboxes, assign them privileged access to other mailboxes, then access them via Outlook Web Access (OWA)" states the investigation. Three attack paths were observed following the second stage exploitation: a web shell, Microsoft cmdlet (New-ExchangeCertificate to write web shell files) and New-Mailbox/New-RoleGroupMember/Add-MailboxPermission to create a new user to achieve full Exchange administrative capabilities.


Get trending threats published weekly by the Anvilogic team.

Sign Up Now