From bleepingcomputer.com
Microsoft has discovered web shells deployed by Black Kingdom operators on approximately 1,500 Exchange servers vulnerable to ProxyLogon attacks.
“They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available,” the Microsoft 365 Defender Threat Intelligence Team said.
“These web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage.
“Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions.”