

However, as the news of the zero-days spread, opportunistic malicious actors have begun scanning for those web shells because finding one can be a shortcut to deploying ransomware or cryptominers, or launching other attacks, all without needing to go through the trouble of finding a way into a network. The common form of ProxyLogon attacks seen so far includes vulnerable Exchange Servers being exploited and web shells dropped on those servers. The exploitations seen in the wild were first attributed to a nation state actor dubbed Hafnium, but the vulnerabilities and attacks have colloquially become known as “ProxyLogon” in reference to the main vulnerability of the zero-days involved. The recently reported collection of Microsoft Exchange Server zero-day vulnerabilities has rocked the infosec world, impacting tens of thousands of organizations around the world, with some estimates exceeding 100,000 and growing by the day.
