Microsoft Exchange - ProxyLogon Backdoor Webshells (CVE-2021-26855, CVE-2021-27065)

Name: Microsoft Exchange - ProxyLogon Backdoor Webshells (CVE-2021-26855, CVE-2021-27065)
Published: 2021-03-25T00:00:00.000Z

Severity
CVE: CVE-2021-26855 CVE-2021-27065
CVSSv3 Score: 9.8
Exploitable with Sniper: No
Vulnerability description: The Exchange server has been compromised by malicious actors and at least one backdoor webshell was left on the system. This webshell is typically used by attackers to execute arbitrary remote commands on the server with the privileges of the most powerful Windows user nt-authority/system.
Risk description: Even though the Exchange server may be patched right now, the attackers have exploited it before the update using the ProxyLogon attack and they have left this backdoor.
Recommendation: Run the Microsoft Safety Scanner tool that is designed to find and remove any webshells or other malware from the server: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Furthermore, ensure that the Exchange server is patched so it is no longer vulnerable to ProxyLogon. Since the attackers have already gained full access to the system, you should assume that sensitive data (ex. emails) has been compromised and we suggest implementing an internal investigation to uncover the full implications of this attack.
References: https://proxylogon.com/
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Detectable with: Network Scanner
Vuln date: Mar 2021
Published at: Mar 2021
Updated at: Apr 2022
Software Type: Email server
Vendor: Microsoft
Product: Exchange Server
Codename: ProxyLogon Backdoor Webshells