A hacking group is hijacking Microsoft Exchange web shells

A hacking group is piggybacking on the work of other threat actors and is hijacking web shells planted on unpatched Microsoft Exchange servers, including backdoors installed by Chinese cyberspies.

The "hijacking activity" is related to the recently disclosed ProxyLogon vulnerabilities. These are four vulnerabilities in Microsoft Exchange servers that, when combined, can be used to install web shells on unpatched systems.


Patches for the four bugs were released on March 2, when Microsoft also said it detected a Chinese state-sponsored hacking group named Hafnium abusing the ProxyLogon bugs to plant backdoors on email servers around the world.

Since Microsoft's initial disclosure, the attacks expanded, and several security vendors said they discovered signs that other threat actors were also abusing the same bugs to carry out their own attacks.


Image: DomainTools


At least ten separate threat actors were seen launching ProxyLogon-based attacks against Microsoft servers.

But according to cyber-security firms ESET and Kryptos Logic, not all groups were actually hacking Exchange servers.

Based on evidence collected by the two companies, one of the groups was scanning the internet for Hafnium's web shells and attempting to log in and hijack the Chinese group's backdoors.

Marcus Hutchins, the Kryptos Logic security researcher who spotted the behavior, told The Record the honeypot where he recorded this behavior was configured to emulate an Exchange server and not the web shell, so he wasn't able to determine what the threat actors were doing.

However, ESET believes the hijackers are related to a crypto-mining operation known as DLTMiner.

Some web shells are being used to deploy ransomware now

But things took a turn for the worse earlier today when threat actors started abusing these web shells for more than crypto-miners, and began deploying ransomware on Exchange servers, according to security firm Kryptos Logic.

These attacks come after yesterday Microsoft confirmed that the ProxyLogon bugs were being exploited by ransomware gangs to attack and encrypt servers.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.