FTL 2 Posted November 7, 2021 Share Posted November 7, 2021 (edited) Hi On the 11 October i submitted 7 dll files to samples@eset.com that ESET's software decided to leave behind as clean from an infected Exchange 2019 Server from Hafnium/ProxyShell exploits. I know they are malicious as the time stamps of the files created mataches that of when the attack on that server took place, and they were in one of the known locations its like to dump its files. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946) At the time only Kaspersky detected them as malicious through uploading them via virustotal. Still today ESET is not picking these files up, even though there are now 10+ other vendors detecting these on virustotal as part of the proxy exchange expolits. Anybody from ESET staff on here able to escalte this please and get these files checked and added! Thanks Edited November 7, 2021 by FTL Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 7, 2021 Administrators Share Posted November 7, 2021 Those are just some remnants of the infection. The point is to detect the aspx files and that the user patches the ProxyShell vulnerability. The dlls are useless without the appropriate aspx files that ESET detects. While it's tricky to cover them without FPs, we'll try to. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 7, 2021 Share Posted November 7, 2021 I would strongly recommend you patch that Exchange Server ASAP. You're pretty much a "sitting duck" for a ransomware attack: https://www.bleepingcomputer.com/news/security/microsoft-exchange-proxyshell-exploits-used-to-deploy-babuk-ransomware/ until you do so. Link to comment Share on other sites More sharing options...
ESET Moderators foneil 342 Posted November 8, 2021 ESET Moderators Share Posted November 8, 2021 If anyone has suggested edits/updates to our KB for this issue, please send to me: https://support.eset.com/en/kb7855-does-eset-protect-me-from-hafnium Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 8, 2021 Share Posted November 8, 2021 (edited) 18 hours ago, foneil said: If anyone has suggested edits/updates to our KB for this issue, please send to me: It appears Eset has Hafnium known exploits pretty well covered. However, it should be noted from the above linked bleepingcomputer.com article on Tortilla ransomware that it will try to exploit any system vulnerability it can find: Quote More specifically, Tortilla followed these pathways to drop the DLL and .NET modules: Microsoft Exchange auto-discover server-side request forgery attempt Atlassian Confluence OGNL injection remote code execution attempt Apache Struts remote code execution attempt WordPress wp-config.php access via directory traversal attempt SolarWinds Orion authentication bypass attempt Oracle WebLogic Server remote command execution attempt Liferay arbitrary Java object deserialization attempt As these attacks rely on patched vulnerabilities, it is strongly advised that all admins upgrade their servers to the latest versions to prevent them from being exploited in attacks. As such, I believe 100% reliance on your security software versus performing the appropriate patch for the above vulnerabilities is very ill advised. It is also naive to assume one specific technique, e.g.: Quote According to a report by researchers at Cisco Talos, a Babuk ransomware affiliate known as 'Tortilla' had joined the club in October, when the actor started using the 'China Chopper' web shell on breached Exchange servers. is being used to exploit these vulnerabilities. Edited November 8, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts