Security News > 2021 > March > Chile's bank regulator shares IOCs after Microsoft Exchange hack
Chile's Comisión para el Mercado Financiero has disclosed that their Microsoft Exchange server was compromised through the recently disclosed ProxyLogon vulnerabilities.
"The analyzes carried out by the information security and technology area of the CMF, together with external specialized support, have so far dismissed the presence of a ransomware and indicate that the incident would be limited to the Microsoft Exchange platform," disclosed the Comisión para el Mercado Financiero.
To aid security professionals and other Microsoft Exchange administrators, the CMF has released IOCs of web shells and a batch file found on their compromised server.
These files are Microsoft Exchange Offline Address Books, whose ExternalUrl setting has been changed to the China Chopper web shell.
While most Microsoft Exchange attacks have been deploying web shells, harvesting credentials, and stealing mailboxes, some attacks are also installing cryptominers, and more recently, the DearCry ransomware on exploited servers.
To help administrators find malicious files dropped in these attacks, Microsoft has released a script that searches Microsoft Exchange logs for IOCs and has updated their Microsoft Safety Scanner to detect known web shells.