Vulnerable Exchange Servers Special Report #5

Attacks against potentially vulnerable Microsoft Exchange Servers using vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 are continuing, having become much easier to perform after working “ProxyLogon” exploit code was published online – which moved incidents from being APT-only to become mainstream cybercrime activities. You can read more on the background of the original HAFNIUM Microsoft Exchange Server compromises and our subsequent Special Reports about potentially vulnerable Microsoft Exchange servers in our recent blog posts:

    1. HAFNIUM attributed Exchange victims (2021-02-26 to 2021-03-03, pre-patch release)
    2. Exchange Scanning #1 – mass exploitation (2021-03-09, post-patch release)
    3. Exchange Scanning #2 – confirmed web shells (2021-03-12, post-patch release)
    4. Exchange Scanning #3 – potentially vulnerable servers (2021-03-13 to 2021-03-14, post-patch release)
    5. Exchange Scanning #4 – potentially vulnerable servers (2021-03-14, post-patch release)

Much of the detection of potentially vulnerable Microsoft Exchange servers performed to date has been based on internet-wide IPv4 /0 scanning, which is effective at identifying Exchange/OWA environments which are configured to use the default IP address. However, this kind of mass scanning does not always identify potentially vulnerable Microsoft Exchange servers, since they can also be configured to use web server virtual hosting for fully qualified domain names (FQDNs), rather than simply binding to the default web site instance or a server’s main IP address. In such cases it is possible that virtual host based Microsoft Exchange Server instances may be missed during IPv4 /0 scans.

This sixth one-off Special Report compromises a hybrid data set generated by both scanning and FQDN host name based testing (using data such as obtained via analysis of MX records, reverse DNS, passive DNS, SSL certificate issuer/subject common names, etc) to identify additional vulnerable Microsoft Exchange servers.

  • Devices with a status of “”vulnerable-at-time-of-scan” were observed to behave as vulnerable to the ProxyLogon CVE-2021-26855 Exchange SSRF test via X-AnonResource-Backend and X-BEResource cookies, as per Microsoft’s published Nmap NSE script
  • Devices with a status of “compromised” were observed to return a response from a web shell on a easily guessable URI path that is known to be dropped onto successfully compromised Microsoft Exchange servers. Where possible the Exchange Version information and internal server host name are included, to aid victim identification and remediation.

Some of the potentially vulnerable or compromised systems will be running as a virtual host on an IP address that is also configured to respond as the default site for that IP address, independent from web server virtual hosting, so there will likely be some duplication between unique potentially vulnerable and compromised Microsoft Exchange Server URL paths. Since the data set covers the period 2021-03-16 to 2021-03-23, it is possible that some exposed instances may have already been patched and dropped web shells removed, but we provide the full data set to our report recipients so that they can make their own informed assessment of their own potential exposure risks.

This new Special Report is being shared outside of our normal free daily network reporting process with National CERT/CSIRTs and network owners and for maximum public benefit.

The blog entry announcing this report can be found here.

Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific time period.

Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24 hour period – for example during high profile events such as the Solarwinds Orion/SUNBURST supply chain or HAFNIUM/Microsoft Exchange Server mass breaches, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24 hour daily reporting window, we believe that there would still be significant benefit to our constituents in them receiving and hopefully acting on the retrospective data.

If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.

Note that since the data than can shared during one-off reporting events is sometimes different from our more standard shared datasets, this report format is subject to change – primarily through the addition of new fields to better describe a particular dataset.

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • ip
    IP of the affected device
  • asn
    As of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Additional tags for more insight
  • public_source
    Source of the data
  • status
    Status of the affected IP, for example, "vulnerable-at-time-of-scan" or "compromised" (with a webshell present on a common path)
  • detail
    Additional details on the event
  • account
    Microsoft Exchange admin account name
  • exchange_version
    Version of Microsoft Exchange reported by detected web shell via the "AdminDisplayVersion" field.
  • server_version
    Version of Microsoft Exchange reported by detected web shell via the "ExchangeVersion" field.

Sample

"timestamp","ip","asn","geo","region","city","hostname","naics","sector","tag","public_source","status","detail","account","exchange_version","server_version"
"2021-03-16 12:41:08","24.197.xxx.xxx",20115,"US","WISCONSIN","ONALASKA","xxx.xxx.xxx.com",517311,"Communications, Service Provider, and Hosting Service","exchange;CVE-2021-26855","Shadowserver","vulnerable-at-time-of-scan","https://xxx.xxx.spectrum.com",,
"2021-03-17 15:18:17","194.244.xxx.xxx",16391,"US","NORTH CAROLINA","RALEIGH","xxx.xxx.org",,,"exchange;CVE-2021-26855","Shadowserver","vulnerable-at-time-of-scan","https://xxx.xxx.org",,,
"2021-03-17 15:35:27","97.102.xxx.xxx",33363,"US","FLORIDA","PALM BAY","xxx.xxx.xxx.com",517311,"Communications, Service Provider, and Hosting Service","exchange;webshell","Shadowserver","compromised","https://xxx.xxx.xxx.com/owa/auth/OutlookDA.aspx",,,
"2021-03-17 15:36:01","100.19.xxx.xxx",701,"US","PENNSYLVANIA","AMBLER","xxx.xxx.xxx.verizon.net",517312,"Communications, Service Provider, and Hosting Service","exchange;webshell","Shadowserver","compromised","https://100.19.xxx.xxx/owa/auth/OutlookDA.aspx",,,
"2021-03-17 15:36:02","100.8.xxx.xxx",701,"US","NEW JERSEY","ROSELLE PARK","mail.xxx.com",517312,"Communications, Service Provider, and Hosting Service","exchange;webshell","Shadowserver","compromised","https://100.8.xxx.xxx/owa/auth/OutlookDA.aspx",,,
"2021-03-17 15:36:03","102.130.xxx.xxx",37302,"ZA","KWAZULU-NATAL","SHEFFIELD BEACH","mail.xxx.edu.za",,,"exchange;webshell","Shadowserver","compromised","https://102.130.xxx.xxx/owa/auth/OutlookDA.aspx",,,
"2021-03-23 17:00:37","103.118.xxx.xxx",58868,"AU","QUEENSLAND","BRISBANE",,,"Communications, Service Provider, and Hosting Service","exchange;webshell","Shadowserver","compromised","http://103.118.xxx.xxx/aspnet_client/0QWYSEXe.aspx",,"Version 15.0 (Build 995.29)","0.10 (14.0.100.0)"
"2021-03-23 17:00:37","1.214.xxx.xxx",3786,"KR","GYEONGGI-DO","DEOKGYE-DONG","mail.xxxxxxx.kr",517311,,"exchange;webshell","Shadowserver","compromised","http://1.214.xxx.xxx/owa/auth/redirsuiteserverproxy.aspx",,"Version 15.0 (Build 1395.4)","0.10 (14.0.100.0)"

Our 132 Report Types