Hafnium/ProxyLogon Frequently Asked Questions

For more information, visit the Hafnium/ProxyLogon Resource Center.

Frequently Asked Questions

• What is a web shell attack?
• What is Backdoor/Exchange.ProxyLogon?
• How is Backdoor/Exchange.ProxyLogon detected?
• What web shells are being detected within the Bitsight platform at the moment?
• Do Backdoor/Exchange.ProxyLogon events impact the Bitsight Security Rating?
• If the CVE-2021-26855 (ProxyLogon) is patched does it mean the web shells were also removed?
• If the web shell is removed, will the Backdoor/Exchange.ProxyLogon event also be removed?
• If a web shell was not detected, does that mean an Exchange server was not exploited?
• What does it mean if a third party is indicated as vulnerable to CVE-2021-26855 (ProxyLogon) but I see no findings for it?

What is a web shell attack?

A web shell is a backdoor that an attacker can use to run malicious code on a compromised system. Attackers use vulnerabilities to implant malicious code in existing files or upload new malicious files to the compromised machine. After a web shell has been established, the attacker can remotely browse to the URL containing their malicious code and execute arbitrary commands on the web server. At this point, the attacker can do nearly anything to the server including gaining remote access, exfiltrating data, installing ransomware or a cryptocurrency miner.

What is Backdoor/Exchange.ProxyLogon?

Backdoor/Exchange.ProxyLogon is the detection name within the Bitsight platform, representing several types of web shells placed on Microsoft Exchange servers using the ProxyLogon vulnerability [CVE-2021-26855]. After being implanted in the Exchange server, the web shells can be used to escalate and maintain persistent access to the server and to exfiltrate information.

How is Backdoor/Exchange.ProxyLogon detected?

We use our own scanning engine to detect which systems:

• Are running Microsoft Exchange.
• Are exposing the main published vulnerability in the attack chain, CVE-2021-26855 (ProxyLogon). This is done using a similar method as the plugin provided by Microsoft.
• Have Indicators of Compromise (IoCs) related to the attack. This is done by making multiple http requests looking for each of the known malicious web shells from the previous section.

Note that even if the system is not vulnerable, we still test for malicious webshells; we’ve found that some organizations are patching against the vulnerabilities without identifying that they’ve been compromised.

As part of this collection, we are not interacting with the web shells. We only execute an HTTP GET to check for their presence.

What web shells are being detected within the Bitsight platform at the moment?

The detected web shells list was compiled from the following sources:

• Raw Github CSV
• Github, “Microsoft Exchange Incident "China Chopper" ASPX Web shell filenames”

'/aspnet_client/supp0rt.aspx'
'/aspnet_client/discover.aspx'
'/aspnet_client/shell.aspx'
'/aspnet_client/help.aspx'
'/aspnet_client/HttpProxy.aspx'
'/aspnet_client/0QWYSEXe.aspx'
'/aspnet_client/system_web/error.aspx'
'/aspnet_client/OutlookEN.aspx'
'/aspnet_client/load.aspx'
'/aspnet_client/sol.aspx'
'/aspnet_client/aspnettest.aspx'
'/aspnet_client/shellex.aspx'
'/aspnet_client/error_page.aspx'
'/aspnet_client/aspnet_client.aspx'
'/aspnet_client/iispage.aspx'
'/aspnet_client/system_web/log.aspx'
'/aspnet_client/web.config.aspx'
'/aspnet_client/RedirSuiteServerProxy.aspx'
'/aspnet_client/zXkZu6bn.aspx'
'/aspnet_client/Fc1b3WDP.aspx'
'/aspnet_client/F48zhi6U.aspx'
'/aspnet_client/2XJHwN19.aspx'
'/aspnet_client/UwSPMsFi.aspx'
'/aspnet_client/E3MsTjP8.aspx'
'/aspnet_client/uHSPTWMG.aspx'
'/aspnet_client/McYhCzdb.aspx'
'/aspnet_client/0q1iS7mn.aspx'
'/aspnet_client/8aUco9ZK.aspx'
'/aspnet_client/ogu7zFil.aspx'

Do Backdoor/Exchange.ProxyLogon events impact the Bitsight Security Rating?

Yes. Backdoor/ProxyLogon events in the Botnet Infection risk vector impact the rating and will decay linearly over 180 days like any other Compromised System event.

If the CVE-2021-26855 (ProxyLogon) is patched does it mean the web shells were also removed?

No. After patching the Exchange server, it is still necessary to look for the presence of web shells and remove them. It’s possible the organization patched the vulnerability but did not detect that an attacker compromised them while they were vulnerable. Further, even if the web shells were removed, the attacker may have created additional methods of persistence within the organization. The only way to truly ensure you or one of your vendors has not suffered a data breach is to perform complete forensics to determine if a threat actor actively compromised the organization and the impact of the compromise.

If the web shell is removed, will the Backdoor/Exchange.ProxyLogon event also be removed?

No, but the Last Seen date will reflect the last time we have seen the event in our scans. Backdoor/ProxyLogon events impact the rating and will decay linearly over 180 days like any other Compromised System event.

If a web shell was not detected, does that mean an Exchange server was not exploited?

No. Each web shell must be individually scanned. We are looking for well known indicators of compromise (IoCs) that have been publicized by Microsoft and others. It is possible that a vulnerable system was exploited and has a web shell that is not on our list.

What does it mean if a third party is indicated as vulnerable to CVE-2021-26855 (ProxyLogon) but I see no findings for it?

If you applied a filter to your portfolio and viewed the finding details of a third party, but no relevant findings appear in their Findings, uncheck the Impacts RV Grade filter. By default, the filter does not show assets that have already been patched—and no longer impact the organization’s risk vector grade and overall rating. By unchecking the Impacts RV Grade filter, you’ll be able to view the findings prior to the organization having patched against the vulnerability.