“If the web shell was placed there before a device was patched, and then the patch was applied, the file would still exist and it could still be used. Patching only prohibits the initial vulnerability being used again.” Mr Gangwer said.
“The nature of this latest attack was to infect as many devices as possible before organisations caught up with the patch. We have observed this impacting organisations in many different regions. There is no reason to believe that Australia was impacted any less than other countries.”
Microsoft has produced software that administrators can use to check their machines and locate any web shells. Mr Gangwer said finding and removing these web shells should be the next step for affected businesses, but that they’d also need human eyes to assess any damage.
“Each organisation needs to begin looking to see if they were impacted by a web shell, which can be determined via reviewing logs. If a web shell is discovered, you then need to assess if any further access was gained,” he said.
“[Web shells allow attackers] to issue any command the attacker desires on the victim device. This is why they pose such a risk because, it gives the attacker access to a very important and critical system.”
Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency, said on Twitter that if your organisation has an Exchange server connected to the internet, you need to assume it was compromised in the last few weeks.
These vulnerabilities were originally exploited by HAFNIUM late last year, which was discovered by a researcher and reported to Microsoft in January. After a spate of new attacks last month, the US government told reporters it was worried new players had the exploits and that there would be a large number of victims.
“A couple hundred guys are exploiting them as fast as they can,” stealing data and installing other ways to return later, an anonymous source who had worked with the US government told Reuters.