Vulnerable Exchange Servers Special Report #1

This Special Report contains information on potentially vulnerable Microsoft Exchange Servers. You can read more on the background of HAFNIUM and our previous Special Report about potential hacking victims in our blog post here. This new report is based on IPv4 scanning conducted by DIVD, the Dutch Institute for Vulnerability Disclosure. Kudos to DIVD for being willing to quickly share their data with victims globally for public benefit.

The blog entry originally announcing this report can be found here.

 


Update 2021-03-30: The researchers at DIVD performed some additional scan-based testing and identified Exchange Servers vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and/or CVE-2021-26865. For their latest tests they used both a script that determines this vulnerability based on the version number of Microsoft Exchange OWA, and a script that actually determines if CVE-2021-26855 is exploitable.

The tests were executed with the following command: “nmap -Pn -p 443 –script ../http-vuln-exchange_v3.nse –script ../http-vuln-cve2021-26855_patched.nse –min-rtt-timeout 5 -v”. Used scripts can be found in their github repository.

If you received a notification (which will have been for a test result during the past ~1 week), your system was likely not patched at the time of DIVD’s scan and could well have been compromised as part of automated large scale exploitation. Please patch Exchange and run appropriate incident response processes immediately. DIVD will publish updates on their case page.


 

Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific time period.

Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24 hour period – for example during high profile events such as the Solarwinds Orion/SUNBURST supply chain or HAFNIUM/Microsoft Exchange Server mass breaches, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24 hour daily reporting window, we believe that there would still be significant benefit to our constituents in them receiving and hopefully acting on the retrospective data.

If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.

Note that since the data than can shared during one-off reporting events is sometimes different from our more standard shared datasets, this report format is subject to change – primarily through the addition of new fields to better describe a particular dataset.

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • ip
    IP of the affected device
  • asn
    As of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from revDNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Additional tags for more insight
  • public_source
    Source of the data
  • status
    Status of the affected IP, for example, vulnerable or likely vulnerable
  • detail
    Additional details on the event
  • account
    Affected account, if any

Sample

"timestamp","ip","asn","geo","region","city","hostname","naics","sector","tag","public_source","status","detail","account"
"2021-03-09 14:49:24","185.43.x.x",580,"NL","GELDERLAND","LUNTEREN",,,,"hafnium;exchange","DIVD","potentially vulnerable","(15.1.2176) Exchange 2016 potentially vulnerable, check latest security update is applied (Exchange 2016 CU18 or CU19 installed)",
"2021-03-09 14:49:24","185.194.x.x",2034,"NL","NOORD-BRABANT","WAALWIJK","example.nl",,,"hafnium;exchange","DIVD","potentially vulnerable","(15.1.2176) Exchange 2016 potentially vulnerable, check latest security update is applied (Exchange 2016 CU18 or CU19 installed)",
"2021-03-09 14:49:24","217.67.x.x",964,"NL","GELDERLAND","GENDT","example.nl",,,"hafnium;exchange","DIVD","vulnerable","(15.1.1713) Exchange 2016 VULNERABLE! (< 15.1.2106)",
"2021-03-09 14:49:24","213.125.x.x",315,"NL","LIMBURG","MAASTRICHT","example.nl",517311,"Communications, Service Provider, and Hosting Service","hafnium;exchange","DIVD","vulnerable","(15.0.1395) Exchange 2013 VULNERABLE! (< 15.0.1496)",
"2021-03-09 14:49:24","212.115.x.x",142,"NL","ZEELAND","TERNEUZEN","example.nl",,"Arts, Entertainment, and Recreation","hafnium;exchange","DIVD","vulnerable","(15.1.1261) Exchange 2016 VULNERABLE! (< 15.1.2106)",

Our 132 Report Types