CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.