{"id":40165,"date":"2021-03-25T21:21:07","date_gmt":"2021-03-25T21:21:07","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=93212"},"modified":"2021-03-25T21:21:07","modified_gmt":"2021-03-25T21:21:07","slug":"analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/","title":{"rendered":"Analyzing attacks taking advantage of the Exchange Server vulnerabilities"},"content":{"rendered":"<p>Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately install updates, Microsoft <a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/15\/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021\/\">released a one-click tool<\/a> that automatically mitigates one of the vulnerabilities and scans servers for known attacks. Microsoft also <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/18\/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus\/\">built this capability into Microsoft Defender Antivirus<\/a>, expanding the reach of the mitigation. As of today, we have seen a significant decrease in the number of still-vulnerable servers \u2013 more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities.<\/p>\n<p>As organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments. Today, we are sharing intelligence about what some attackers did after exploiting the vulnerable servers, ranging from ransomware to data exfiltration and deployment of various second-stage payloads. This blog covers:<\/p>\n<ul>\n<li>Threat intelligence and technical details about known attacks, including components and attack paths, that defenders can use to investigate whether on-premises Exchange servers were compromised before they were patched and to comprehensively respond to and remediate these threats if they see them in their environments.<\/li>\n<li>Detection and automatic remediation built into Microsoft Defender Antivirus and how investigation and remediation capabilities in solutions like Microsoft Defender for Endpoint can help responders perform additional hunting and remediate threats.<\/li>\n<\/ul>\n<p>Although the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation guidance that we have collected and continue to update here: <a href=\"https:\/\/aka.ms\/ExchangeVulns\">https:\/\/aka.ms\/ExchangeVulns<\/a>.<\/p>\n<h2>Mitigating post-exploitation activities<\/h2>\n<p>The first known attacks leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/02\/hafnium-targeting-exchange-servers\/\">this blog<\/a>. In the three weeks after the Exchange server vulnerabilities were disclosed and the security updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code execution (RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93214\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig1-exchange-server-exploit-chain.png\" alt width=\"820\" height=\"316\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig1-exchange-server-exploit-chain.png 820w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig1-exchange-server-exploit-chain-300x116.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig1-exchange-server-exploit-chain-768x296.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\"><\/p>\n<p><em>Figure 1. The Exchange Server exploit chain<\/em><\/p>\n<p>In our investigation of the on-premises Exchange Server attacks , we saw systems being affected by multiple threats. <strong>Many of the compromised systems have not yet received a secondary action<\/strong>, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions. These actions might involve performing follow-on attacks via persistence on Exchange servers they have already compromised, or using credentials and data stolen during these attacks to compromise networks through other entry vectors.<\/p>\n<p>Attackers who included the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalized on their window of opportunity to gain access to as many systems as they could. Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.<\/p>\n<p>We have built protections against these threats into Microsoft security solutions. Refer to the Appendix for a list of indicators of compromise, detection details, and advanced hunting queries. We have also provided additional tools and investigation and remediation guidance here: <a href=\"https:\/\/aka.ms\/exchange-customer-guidance\">https:\/\/aka.ms\/exchange-customer-guidance<\/a>.<\/p>\n<p>While performing a full investigation on systems is recommended, the following themes are common in many of the attacks. These are prevailing threat trends that Microsoft has been monitoring, and existing solutions and recommendations for prevention and mitigation apply:<\/p>\n<ul>\n<li>Web shells \u2013 As of this writing, many of the unpatched systems we observed had multiple web shells on them. Microsoft has been tracking the rise of web shell attacks for the past few years, ensuring our products detect these threats and providing remediation guidance for customers. For more info on web shells, read <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/02\/11\/web-shell-attacks-continue-to-rise\/\">Web shell attacks continue to rise<\/a>. We have also published guidance on <a href=\"http:\/\/aka.ms\/exchange-web-shell-investigation\">web shell threat hunting with Azure Sentinel<\/a>.<\/li>\n<li>Human-operated ransomware \u2013 Ransomware attacks pose some of the biggest security risks for organizations today, and attackers behind these attacks were quick to take advantage of the on-premises Exchange Server vulnerabilities. Successfully exploiting the vulnerabilities gives attackers the ability to launch human-operated ransomware campaigns, a trend that Microsoft has been closely monitoring. For more information about human-operated ransomware attacks, including Microsoft solutions and guidance for improving defenses, read: <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/03\/05\/human-operated-ransomware-attacks-a-preventable-disaster\/\">Human-operated ransomware attacks<\/a>.<\/li>\n<li>Credential theft \u2013 While credential theft is not the immediate goal of some of these attacks, access to Exchange servers allowed attackers to access and potentially steal credentials present on the system. Attackers can use these stolen credentials for follow-on attacks later, so organizations need to prioritize identifying and remediating impacted identities. For more information, read <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/25\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/#building-credential-hygiene\">best practices for building credential hygiene<\/a>.<\/li>\n<\/ul>\n<p>In the following sections, we share our analysis of known post-compromise activities associated with exploitation of the Exchange server vulnerabilities because it is helpful to understand these TTPs, in order to defend against other actors using similar tactics or tools. While levels of disruptive post-compromise activity like ransomware may be limited at the time of this writing, Microsoft will continue to track this space and share information with the community. It\u2019s important to note that with some post-compromise techniques, attackers may gain highly privileged persistent access, but <strong>many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement<\/strong>.<\/p>\n<h2>DoejoCrypt ransomware<\/h2>\n<p>DoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the patches were released. Ransomware attackers often use multiple tools and exploits to gain initial access, including purchasing access through a broker or \u201creseller\u201d who sells access to systems they have already compromised. The DoejoCrypt attacks start with a variant of the Chopper web shell being deployed to the Exchange server post-exploitation.<\/p>\n<p>The web shell writes a batch file to <em>C:\\Windows\\Temp\\xx.bat<\/em>. Found on all systems that received the DoejoCrypt ransomware payload, this batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA Secrets portion of the registry, where passwords for services and scheduled tasks are stored.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93215\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig2-xx-bat.png\" alt width=\"592\" height=\"221\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig2-xx-bat.png 592w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig2-xx-bat-300x112.png 300w\" sizes=\"auto, (max-width: 592px) 100vw, 592px\"><\/p>\n<p><em>Figure 2. xx.bat<\/em><\/p>\n<p>Given configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled task configured with a highly privileged account to perform actions like backups. <strong>As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection<\/strong>, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.<\/p>\n<p>The batch file saves the registry hives to a semi-unique location, <em>C:\\windows\\temp\\debugsms<\/em>, assembles them into a CAB file for exfiltration, and then cleans up the folders from the system. The file also enables Windows Remote Management and sets up an HTTP listener, indicating the attacker might take advantage of the internet-facing nature of an Exchange Server and use this method for later access if other tools are removed.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93216\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig3-xx-bat-actions.png\" alt width=\"820\" height=\"290\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig3-xx-bat-actions.png 820w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig3-xx-bat-actions-300x106.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig3-xx-bat-actions-768x272.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\"><\/p>\n<p><em>Figure 3. xx.bat actions<\/em><\/p>\n<p>The <em>xx.bat<\/em> file has been run on many more systems than have been ransomed by the DoejoCrypt attacker, meaning that, while not all systems have moved to the ransom stage, the attacker has gained access to multiple credentials. On systems where the attacker moved to the ransom stage, we saw reconnaissance commands being run via the same web shell that dopped the xx.bat file (in this instance, a version of Chopper):<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93217\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig4-doejocrypt-recon-command.png\" alt width=\"624\" height=\"33\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig4-doejocrypt-recon-command.png 624w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig4-doejocrypt-recon-command-300x16.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\"><\/p>\n<p><em>Figure 4. DoejoCrypt recon command<\/em><\/p>\n<p>After these commands are completed, the web shell drops a new payload to <em>C:\\Windows\\Help<\/em> which, like in many human-operated ransomware campaigns, leads to the attack framework Cobalt Strike. In observed instances, the downloaded payload is shellcode with the file name <em>new443.exe<\/em> or <em>Direct_Load.exe<\/em>. When run, this payload injects itself into <em>notepad.exe<\/em> and reaches out to a C2 to download Cobalt Strike shellcode.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93218\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig5-doejocrypt-ransomware-attack-chain.png\" alt width=\"820\" height=\"110\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig5-doejocrypt-ransomware-attack-chain.png 820w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig5-doejocrypt-ransomware-attack-chain-300x40.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig5-doejocrypt-ransomware-attack-chain-768x103.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\"><\/p>\n<p><em>Figure 5. DoejoCrypt ransomware attack chain<\/em><\/p>\n<p>During the hands-on-keyboard stage of the attack, a new payload is downloaded to <em>C:\\Windows\\Help<\/em> with names like <em>s1.exe<\/em> and <em>s2.exe<\/em>. This payload is the DoejoCrypt ransomware, which uses a <em>.CRYPT<\/em> extension for the newly encrypted files and a very basic <em>readme.txt<\/em> ransom note. In some instances, the time between <em>xx.bat<\/em> being dropped and a ransomware payload running was under half an hour.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93219\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig6-doejocrypt-ransom-note.png\" alt width=\"624\" height=\"191\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig6-doejocrypt-ransom-note.png 624w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig6-doejocrypt-ransom-note-300x92.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\"><\/p>\n<p><em>Figure 6. DoejoCrypt ransom note<\/em><\/p>\n<p>While the DoejoCrypt payload is the most visible outcome of this attackers\u2019 actions, the access to credentials they have gained could serve them for future campaigns if organizations do not reset credentials on compromised systems. An additional overlapping activity observed on systems where <em>xx.bat<\/em> was present and the attackers were able to get Domain Administrator rights was the running of scripts to snapshot Active Directory with <em>ntdsutil<\/em>\u2014an action that, if executed successfully, could give the attackers access to all the passwords in Active Directory from a single compromised system.<\/p>\n<h2>Lemon Duck botnet<\/h2>\n<p>Cryptocurrency miners were some of the first payloads we observed being dropped by attackers from the post-exploit web shells. In the first few days after the security updates were released, we observed multiple cryptocurrency miner campaigns, which had been previously targeting SharePoint servers, add Exchange Server exploitation to their repertoire. Most of these coin miners were variations on XMRig miners, and many arrived via a multi-featured implant with the capability to download new payloads or even move laterally.<\/p>\n<p>Lemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless\/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.<\/p>\n<p>Using a form of the attack that allows direct execution of commands versus dropping a web shell, the Lemon Duck operators ran standard Invoke Expression commands to download a payload. Having used the same C2 and download servers for some time, the operators applied a varied degree of obfuscation to their commands on execution.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93220\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig7-lemon-duck-payload-executions.png\" alt width=\"624\" height=\"77\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig7-lemon-duck-payload-executions.png 624w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig7-lemon-duck-payload-executions-300x37.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\"><\/p>\n<p><em>Fig 7. Example executions of Lemon Duck payload downloads<\/em><\/p>\n<p>The Lemon Duck payload is an encoded and obfuscated PowerShell script. It first removes various security products from the system, then creates scheduled tasks and WMI Event subscription for persistence. A second script is downloaded to attempt to evade Microsoft Defender Antivirus, abusing their administrative access to run the <em>Set-MPPreference<\/em> command to disable real-time monitoring (a tactic that Microsoft Defender <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-antivirus\/prevent-changes-to-security-settings-with-tamper-protection\">Tamper protection<\/a> blocks) and add scanning exclusions for the C:\\ drive and the PowerShell process.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93221\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig8a-lemon-duck-payloads.png\" alt width=\"599\" height=\"296\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig8a-lemon-duck-payloads.png 599w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig8a-lemon-duck-payloads-300x148.png 300w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\"><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93222\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig8b-lemon-duck-payloads.png\" alt width=\"599\" height=\"160\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig8b-lemon-duck-payloads.png 599w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig8b-lemon-duck-payloads-300x80.png 300w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\"><\/p>\n<p><em>Figure 8. Lemon Duck payloads<\/em><\/p>\n<p>One randomly named scheduled task connects to a C2 every hour to download a new payload, which includes various lateral movement and credential theft tools. The operators were seen to download RATs and information stealers, including <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Win32\/Ramnit\">Ramnit<\/a> payloads.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93223\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig9-Lemon-Duck-post-exploitation-activities.png\" alt width=\"820\" height=\"316\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig9-Lemon-Duck-post-exploitation-activities.png 820w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig9-Lemon-Duck-post-exploitation-activities-300x116.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig9-Lemon-Duck-post-exploitation-activities-768x296.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\"><\/p>\n<p><em>Figure 9. Lemon Duck post-exploitation activities<\/em><\/p>\n<p>In some instances, the operators took advantage of having compromised mail servers to access mailboxes and send emails containing the Lemon Duck payload using various colorful email subjects.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93224\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig10-email-subjects-lemon-duck.png\" alt width=\"623\" height=\"216\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig10-email-subjects-lemon-duck.png 623w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig10-email-subjects-lemon-duck-300x104.png 300w\" sizes=\"auto, (max-width: 623px) 100vw, 623px\"><\/p>\n<p><em>Figure 10. Email subjects of possibly malicious emails<\/em><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93225\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig11-attachment-variables.png\" alt width=\"274\" height=\"70\"><\/p>\n<p><em>Figure 11. Attachment variables<\/em><\/p>\n<p>In one notable example, the Lemon Duck operators compromised a system that already had <em>xx.bat<\/em> and a web shell. After establishing persistence on the system in a non-web shell method, the Lemon Duck operators were observed cleaning up other attackers\u2019 presence on the system and mitigating the CVE-2021-26855 (SSRF) vulnerability using a legitimate cleanup script that they hosted on their own malicious server. This action prevents further exploitation of the server and removes web shells, giving Lemon Duck exclusive access to the compromised server. This stresses the need to fully investigate systems that were exposed, even if they have been fully patched and mitigated, per traditional incident response process.<\/p>\n<h2>Pydomer ransomware<\/h2>\n<p>While DoejoCrypt was a new ransomware payload, the access gained by attackers via the on-premises Exchange Server vulnerabilities will likely become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it. The first existing ransomware family to capitalize on the vulnerabilities was Pydomer. This ransomware family was previously seen using vulnerabilities in attacks, notably taking advantage of Pulse Secure VPN vulnerabilities, for which Pulse Secure has released security patches, to steal credentials and perform ransomware attacks.<\/p>\n<p>In this campaign, the operators scanned and mass-compromised unpatched Exchange Servers to drop a web shell. They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available. They then dropped a web shell, with a notable file name format: \u201cChack[Word][Country abbreviation]\u201d:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93226\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig12-web-shell-names-pydomer.png\" alt width=\"384\" height=\"250\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig12-web-shell-names-pydomer.png 384w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig12-web-shell-names-pydomer-300x195.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig12-web-shell-names-pydomer-200x130.png 200w\" sizes=\"auto, (max-width: 384px) 100vw, 384px\"><\/p>\n<p><em>Figure 12. Example web shell names observed being used by the Pydomer attackers<\/em><\/p>\n<p>These web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage. The attackers then used their web shell to dump a <em>test.bat<\/em> batch file that performed a similar function in the attack chain to the <em>xx.bat<\/em> of the DoejoCrypt operators and allowed them to perform a dump of the LSASS process.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93227\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig13-Pydomer-post-exploitation-activities.png\" alt width=\"820\" height=\"326\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig13-Pydomer-post-exploitation-activities.png 820w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig13-Pydomer-post-exploitation-activities-300x119.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig13-Pydomer-post-exploitation-activities-768x305.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\"><\/p>\n<p><em>Figure 13. Pydomer post-exploitation activities<\/em><\/p>\n<p>This access alone would be valuable to attackers for later attacks, similar to the credentials gained during their use of Pulse Secure VPN vulnerabilities. The highly privileged credentials gained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, meaning these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange Server is patched and even enter via different means.<\/p>\n<p>On systems where the attackers did move to second-stage ransomware operations, they utilized a Python script compiled to an executable and the Python cryptography libraries to encrypt files. The attackers then executed a PowerShell script via their web shell that acts as a downloader and distribution mechanism for the ransomware.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-large wp-image-93228\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig14-Pydomer-PowerShell-downloader-spreader-1024x317.png\" alt width=\"1024\" height=\"317\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig14-Pydomer-PowerShell-downloader-spreader-1024x317.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig14-Pydomer-PowerShell-downloader-spreader-300x93.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig14-Pydomer-PowerShell-downloader-spreader-768x238.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig14-Pydomer-PowerShell-downloader-spreader.png 1430w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/p>\n<p><em>Figure 14. <\/em><em>PowerShell downloader and spreader used to get the Pydomer payload<\/em><\/p>\n<p>The script fetches a payload from a site hosted on a domain generation algorithm (DGA) domain, and attempts to spread the payload throughout the network, first attempting to spread the payload over WMI using Invoke-WMIMethod to attempt to connect to systems, and falling back to PowerShell remoting with Enter-PSSession if that fails. The script is run within the context of the web shell, which in most instances is Local System, so this lateral movement strategy is unlikely to work except in organizations that are running highly insecure and unrecommended configurations like having computer objects in highly privileged groups.<\/p>\n<p>The Pydomer ransomware is a Python script compiled to an executable and uses the Python cryptography libraries to encrypt files. The ransomware encrypts the files and appends a random extension, and then drops a ransom note named <em>decrypt_file.TxT<\/em>.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93229\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig15-pydomer-ransom-note.png\" alt width=\"624\" height=\"395\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig15-pydomer-ransom-note.png 624w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig15-pydomer-ransom-note-300x190.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\"><\/p>\n<p><em>Figure 15. Pydomer <\/em><em>ransom note<\/em><\/p>\n<p>Interestingly, the attackers seem to have deployed a non-encryption extortion strategy. Following well-known ransomware groups like Maze and Egregor which leaked data for pay, the Pydomer hackers dropped an alternative <em>readme.txt<\/em> onto systems without encrypting files. This option might have been semi-automated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration. The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93230\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig16-pydomer-extortion-readme.png\" alt width=\"624\" height=\"120\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig16-pydomer-extortion-readme.png 624w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig16-pydomer-extortion-readme-300x58.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\"><\/p>\n<p><em>Figure 16. Pydomer extortion readme.txt<\/em><\/p>\n<h2>Credential theft, turf wars, and dogged persistence<\/h2>\n<p>If a server is not running in a least-privilege configuration, credential theft could provide a significant return on investment for an attacker beyond their initial access to email and data. Many organizations have backup agent software and scheduled tasks running on these systems with domain admin-level permissions. For these organizations, the attackers might be able to harvest highly privileged credentials without lateral movement, for example, using the COM services DLL as a living-off-the-land binary to perform a dump of the LSASS process:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93231\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig17-com-services-dll-lsass-dump.png\" alt width=\"624\" height=\"25\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig17-com-services-dll-lsass-dump.png 624w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/fig17-com-services-dll-lsass-dump-300x12.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\"><\/p>\n<p><em>Figure 17.<\/em><em> Use of COM services DLL to dump LSASS process<\/em><\/p>\n<p>The number of observed credential theft attacks, combined with high privilege of accounts often given to Exchange servers, means that these attacks could continue to impact organizations that don\u2019t fully remediate after a compromise even after patches have been applied. While the observed ransomware attempts were small-scale or had errors, there is still the possibility of <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/04\/28\/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk\/\">more skillful groups<\/a> utilizing credentials gained in these attacks for later attacks.<\/p>\n<p>Attackers also used their access to perform extensive reconnaissance using built-in Exchange commandlets and <em>dsquery<\/em> to exfiltrate information about network configurations, user information, and email assets.<\/p>\n<p>While Lemon Duck operators might have had the boldest method for removing other attackers from the systems they compromised, they were not the only attacker to do so. Others were observed cleaning up .aspx and .bat files to remove other attackers, and even rebuilding the WMI database by deleting .mof files and restarting the service. As the window on unpatched machines closes, attackers showed increased interest in maintaining the access to the systems they exploited. By utilizing \u201cmalwareless\u201d persistence mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response efforts that might focus exclusively on web shells, AV scans, and patching.<\/p>\n<h2>Defending against exploits and post-compromise activities<\/h2>\n<p>Attackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates. Comprehensive mitigation guidance can be found here: <a href=\"https:\/\/aka.ms\/ExchangeVulns\">https:\/\/aka.ms\/ExchangeVulns<\/a>.<\/p>\n<p>As seen in the post-exploitation attacks discussed in this blog, the paths that attackers can take after successfully exploiting the vulnerabilities are varied and wide-ranging. If you have determined or have reason to suspect that these threats are present on your network, here are immediate steps you can take:<\/p>\n<ul>\n<li>Investigate exposed Exchange servers for compromise, regardless of their current patch status.<\/li>\n<li>Look for web shells via our <a href=\"https:\/\/aka.ms\/exchange-customer-guidance\">guidance<\/a> and run a full AV scan using the <a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/15\/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021\/\">Exchange On-Premises Mitigation Tool<\/a>.<\/li>\n<li>Investigate Local Users and Groups, even non-administrative users for changes, and ensure all users require a password for sign-in. New user account creations (represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious user creation.<\/li>\n<li>Reset and randomize local administrator passwords with a tool like <a href=\"https:\/\/aka.ms\/laps\">LAPS<\/a> if you are not already doing so.<\/li>\n<li>Look for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) configuration of the system that might have been configured by the attacker to allow persistence.<\/li>\n<li>Look for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with <em>exe<\/em> in an attempt to hide their tracks.<\/li>\n<li>Look for new persistence mechanisms such as unexpected services, scheduled tasks, and startup items.<\/li>\n<li>Look for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access clients.<\/li>\n<li>Check mailbox-level email forwarding settings (both <em>ForwardingAddress<\/em> and <em>ForwardingSMTPAddress<\/em> attributes), check mailbox inbox rules (which might be used to forward email externally), and check Exchange Transport rules that you might not recognize.<\/li>\n<\/ul>\n<p>While our response tools check for and remove known web shells and attack tools, performing a full investigation of these systems is recommended. For comprehensive investigation and mitigation guidance and tools, see <a href=\"https:\/\/aka.ms\/exchange-customer-guidance\">https:\/\/aka.ms\/exchange-customer-guidance<\/a>.<\/p>\n<p id=\"building-credential-hygiene\">Additionally, here are best practices for building credential hygiene and practicing the principle of least privilege:<\/p>\n<ul>\n<li>Follow guidance to run Exchange in least-privilege configuration: <a href=\"https:\/\/adsecurity.org\/?p=4119\">https:\/\/adsecurity.org\/?p=4119<\/a>.<\/li>\n<li>Ensure service accounts and scheduled tasks run with the least privileges they need. Avoid widely privileged groups like domain admins and backup operators and prefer accounts with access to just the systems they need.<\/li>\n<li>Randomize local administrator passwords to prevent lateral movement with tools like <a href=\"https:\/\/aka.ms\/laps\">LAPS<\/a>.<\/li>\n<li>Ensure administrators practice good administration habits like<a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/overview\"> Privileged Admin Workstations<\/a>.<\/li>\n<li>Prevent privileged accounts like domain admins from signing into member servers and workstations using Group Policy to limit credential exposure and lateral movement.<\/li>\n<\/ul>\n<h2>Appendix<\/h2>\n<h3>Microsoft Defender for Endpoint detection details<\/h3>\n<p><strong>Antivirus&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong><\/p>\n<p>Microsoft Defender Antivirus detects exploitation behavior with these detections:<\/p>\n<p>Web shells are detected as:<\/p>\n<p>Ransomware payloads and associated files are detected as:<\/p>\n<p>Lemon Duck malware is detected as:<\/p>\n<p>Some of the credential theft techniques highlighted in this report are detected as:<\/p>\n<p><strong>Endpoint detection and response (EDR)<\/strong><\/p>\n<p>Alerts with the following titles in the security center can indicate threat activity on your network:<\/p>\n<ul>\n<li>Suspicious Exchange UM process creation<\/li>\n<li>Suspicious Exchange UM file creation<\/li>\n<li>Suspicious w3wp.exe activity in Exchange<\/li>\n<li>Possible exploitation of Exchange Server vulnerabilities<\/li>\n<li>Possible IIS web shell<\/li>\n<li>Possible web shell installation<\/li>\n<li>Web shells associated with Exchange Server vulnerabilities<\/li>\n<li>Network traffic associated with Exchange Server exploitation<\/li>\n<\/ul>\n<p>Alerts with the following titles in the security center can indicate threat activity on your network specific to the DoejoCrypt and Pydomer ransomware campaign:<\/p>\n<ul>\n<li>DoejoCrypt ransomware<\/li>\n<li>Pydomer ransomware<\/li>\n<li>Pydomer download site<\/li>\n<\/ul>\n<p>Alerts with the following titles in the security center can indicate threat activity on your network specific to the Lemon Duck botnet:<\/p>\n<ul>\n<li>LemonDuck Malware<\/li>\n<li>LemonDuck botnet C2 domain activity<\/li>\n<\/ul>\n<p>The following behavioral alerts might also indicate threat activity associated with this threat:<\/p>\n<ul>\n<li>Possible web shell installation<\/li>\n<li>A suspicious web script was created<\/li>\n<li>Suspicious processes indicative of a web shell<\/li>\n<li>Suspicious file attribute change<\/li>\n<li>Suspicious PowerShell command line<\/li>\n<li>Possible IIS Web Shell<\/li>\n<li>Process memory dump<\/li>\n<li>A malicious PowerShell Cmdlet was invoked on the machine<\/li>\n<li>WDigest configuration change<\/li>\n<li>Sensitive information lookup<\/li>\n<li>Suspicious registry export<\/li>\n<\/ul>\n<h3>Advanced hunting<\/h3>\n<p>To locate possible exploitation activities in Microsoft Defender for Endpoint, run the following queries.<\/p>\n<p><strong>Processes run by the IIS worker process<\/strong><\/p>\n<p>Look for processes executed by the IIS worker process<\/p>\n<p><code>\/\/ Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance<br \/>DeviceProcessEvents<br \/>| where InitiatingProcessFileName == 'w3wp.exe'<br \/>| where InitiatingProcessCommandLine contains \"MSExchange\"<br \/>| where FileName !in~ (\"csc.exe\",\"cvtres.exe\",\"conhost.exe\",\"OleConverter.exe\",\"wermgr.exe\",\"WerFault.exe\",\"TranscodingService.exe\")<br \/>| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp<\/code><\/p>\n<p>Search for PowerShell spawned from the IIS worker process, observed most frequently in Lemon Duck with Base64 encoding to obfuscate C2 domains<\/p>\n<p><code>DeviceProcessEvents<br \/>| where FileName =~ \"powershell.exe\"<br \/>| where InitiatingProcessFileName =~ \"w3wp.exe\"<br \/>| where InitiatingProcessCommandLine contains \"MSExchange\"<br \/>| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp<\/code><\/p>\n<p><strong>Tampering<\/strong><\/p>\n<p>Search for Lemon Duck tampering with Microsoft Defender Antivirus<\/p>\n<p><code>DeviceProcessEvents<br \/>| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\")<br \/>| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp<\/code><\/p>\n<p><strong>Batch script actions <\/strong><\/p>\n<p>Search for batch scripts performing credential theft, as observed in DoejoCrypt infections<\/p>\n<p><code>DeviceProcessEvents<br \/>| where InitiatingProcessFileName == \"cmd.exe\"<br \/>| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"C:\\Windows\\Temp\"<br \/>| where ProcessCommandLine has \"reg save\"<br \/>| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp<\/code><\/p>\n<p>Look for evidence of batch script execution that leads to credential dumping<\/p>\n<p><code>\/\/ Search for batch script execution, leading to credential dumping using rundll32 and the COM Services DLL, dsquery, and makecab use<br \/>DeviceProcessEvents<br \/>| where InitiatingProcessFileName =~ \"cmd.exe\"<br \/>| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"\\inetpub\\wwwroot\\aspnet_client\\\"<br \/>| where InitiatingProcessParentFileName has \"w3wp\"<br \/>| where FileName != \"conhost.exe\"<br \/>| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp<\/code><\/p>\n<p><strong>Suspicious files dropped under an aspnet_client folder<\/strong><\/p>\n<p>Look for dropped suspicious files like web shells and other components<\/p>\n<p><code>\/\/ Search for suspicious files, including but not limited to batch scripts and web shells, dropped under the file path C:\\inetpub\\wwwroot\\aspnet_client\\<br \/>DeviceFileEvents<br \/>| where InitiatingProcessFileName == \"w3wp.exe\"<br \/>| where FolderPath has \"\\\\aspnet_client\\\\\"<br \/>| where InitiatingProcessCommandLine contains \"MSExchange\"<br \/>| project FileName, FolderPath, InitiatingProcessCommandLine, DeviceId, Timestamp<\/code><\/p>\n<p><strong>Checking for persistence on systems that have been suspected as compromised<\/strong><\/p>\n<p>Search for creations of new local accounts<\/p>\n<p><code>DeviceProcessEvents<br \/>| where FileName == \"net.exe\"<br \/>| where ProcessCommandLine has_all (\"user\", \"add\")<br \/>| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp<\/code><\/p>\n<p><strong>Search for installation events that were used to download ScreenConnect for persistence <\/strong><\/p>\n<p>Note that this query may be noisy and is not necessarily indicative of malicious activity alone.<\/p>\n<p><code>DeviceProcessEvents<br \/>| where FileName =~ \"msiexec.exe\"<br \/>| where ProcessCommandLine has @\"C:\\Windows\\Temp\\\"<br \/>| parse-where kind=regex flags=i ProcessCommandLine with @\"C:\\\\Windows\\\\Temp\\\\\" filename:string @\".msi\"<br \/>| project filename, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp<\/code><\/p>\n<p><strong>Hunting for credential theft <\/strong><\/p>\n<p>Search for logon events related to services and scheduled tasks on devices that may be Exchange servers. The results of this query should be used to verify whether any of these users have privileged roles that might have enabled further persistence.<\/p>\n<p><code>let&nbsp;devices&nbsp;=<br \/>DeviceProcessEvents<br \/>|&nbsp;where&nbsp;InitiatingProcessFileName&nbsp;==&nbsp;\"w3wp.exe\"&nbsp;and&nbsp;InitiatingProcessCommandLine&nbsp;contains&nbsp;\"MSExchange\"<br \/>|&nbsp;distinct&nbsp;DeviceId;<br \/>\/\/<br \/>DeviceLogonEvents<br \/>|&nbsp;where&nbsp;DeviceId&nbsp;in&nbsp;(devices)<br \/>|&nbsp;where&nbsp;LogonType&nbsp;in&nbsp;(\"Batch\",&nbsp;\"Service\")<br \/>|&nbsp;project&nbsp;AccountName,&nbsp;AccountDomain,&nbsp;LogonType,&nbsp;DeviceId,&nbsp;Timestamp<\/code><\/p>\n<p>Search for WDigest registry key modification, which allows for the LSASS process to store plaintext passwords.<\/p>\n<p><code>DeviceRegistryEvents<br \/>| where RegistryValueName == \"UseLogonCredential\"<br \/>| where RegistryKey has \"WDigest\" and RegistryValueData == \"1\"<br \/>| project PreviousRegistryValueData, RegistryValueData, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp<\/code><\/p>\n<p>Search for the COM services DLL being executed by rundll32, which can be used to dump LSASS memory.<\/p>\n<p><code>DeviceProcessEvents<br \/>| where InitiatingProcessCommandLine has_all (\"rundll32.exe\", \"comsvcs.dll\")<br \/>| project FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp<\/code><\/p>\n<p>Search for Security Account Manager (SAM) or SECURITY databases being saved, from which credentials can later be extracted.<\/p>\n<p><code>DeviceProcessEvents<br \/>| where FileName == \"reg.exe\"<br \/>| where ProcessCommandLine has \"save\" and ProcessCommandLine has_any (\"hklm\\\\security\", \"hklm\\\\sam\")<br \/>| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp<\/code><\/p>\n<h2>Indicators<\/h2>\n<p>Selected indicators from attacks are included here, the threats may utilize files and network indicators not represented here.<\/p>\n<p><strong>Files (SHA-256)<\/strong><\/p>\n<p>The following are file hashes for some of the web shells observed during attacks:<\/p>\n<ul>\n<li>201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41<\/li>\n<li>2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e<\/li>\n<li>4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea<\/li>\n<li>511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1<\/li>\n<li>65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5<\/li>\n<li>811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d<\/li>\n<li>8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc<\/li>\n<li>a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a<\/li>\n<li>b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0<\/li>\n<li>dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d<\/li>\n<\/ul>\n<p>DoejoCrypt associated hashes:<\/p>\n<ul>\n<li>027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27<\/li>\n<li>10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da<\/li>\n<li>2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff<\/li>\n<li>904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3<\/li>\n<li>bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748<\/li>\n<li>e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6<\/li>\n<li>fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65<\/li>\n<li>feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede<\/li>\n<\/ul>\n<p>Lemon Duck associated hashes:<\/p>\n<ul>\n<li>0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc<\/li>\n<li>3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec<\/li>\n<li>4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9<\/li>\n<li>56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c<\/li>\n<li>69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e<\/li>\n<li>737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4<\/li>\n<li>893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e<\/li>\n<li>9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719<\/li>\n<li>9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd<\/li>\n<li>a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85<\/li>\n<li>d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09<\/li>\n<li>db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd<\/li>\n<li>dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd<\/li>\n<li>f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501<\/li>\n<li>f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f<\/li>\n<li>fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0<\/li>\n<\/ul>\n<p>Pydomer associated hashes:<\/p>\n<ul>\n<li>7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382<\/li>\n<li>866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc<\/li>\n<li>910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db<\/li>\n<li>a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287<\/li>\n<li>b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f<\/li>\n<li>c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a<\/li>\n<li>c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908<\/li>\n<\/ul>\n<p><strong>Network indicators<\/strong><\/p>\n<p>Domains abused by Lemon Duck:<\/p>\n<ul>\n<li>down[.]sqlnetcat[.]com<\/li>\n<li>t[.]sqlnetcat[.]com<\/li>\n<li>t[.]netcatkit[.]com<\/li>\n<\/ul>\n<p>Pydomer DGA network indicators:<\/p>\n<ul>\n<li>uiiuui[.]com\/search\/*<\/li>\n<li>yuuuuu43[.]com\/vpn-service\/*<\/li>\n<li>yuuuuu44[.]com\/vpn-service\/*<\/li>\n<li>yuuuuu46[.]com\/search\/*<\/li>\n<\/ul>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/25\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. As organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments.<br \/>\nThe post Analyzing attacks taking advantage of the Exchange Server vulnerabilities appeared first on Microsoft Security. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":40166,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[2292,347,9290,3873,643,9291,7221,8883,9292,91,19],"class_list":["post-40165","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-coin-miner","tag-cybersecurity","tag-doejocrypt","tag-exchange-server","tag-exploits","tag-lemon-duck","tag-microsoft-security-intelligence","tag-post-exploitation","tag-pydomer","tag-ransomware","tag-vulnerabilities"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Analyzing attacks taking advantage of the Exchange Server vulnerabilities 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analyzing attacks taking advantage of the Exchange Server vulnerabilities 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-03-25T21:21:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities.png\" \/>\n\t<meta property=\"og:image:width\" content=\"820\" \/>\n\t<meta property=\"og:image:height\" content=\"316\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"26 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Analyzing attacks taking advantage of the Exchange Server vulnerabilities\",\"datePublished\":\"2021-03-25T21:21:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/\"},\"wordCount\":4794,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities.png\",\"keywords\":[\"coin miner\",\"Cybersecurity\",\"DoejoCrypt\",\"Exchange Server\",\"exploits\",\"Lemon Duck\",\"Microsoft security intelligence\",\"post-exploitation\",\"Pydomer\",\"ransomware\",\"Vulnerabilities\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/\",\"name\":\"Analyzing attacks taking advantage of the Exchange Server vulnerabilities 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities.png\",\"datePublished\":\"2021-03-25T21:21:07+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities.png\",\"width\":820,\"height\":316},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"coin miner\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/coin-miner\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analyzing attacks taking advantage of the Exchange Server vulnerabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyzing attacks taking advantage of the Exchange Server vulnerabilities 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/","og_locale":"en_US","og_type":"article","og_title":"Analyzing attacks taking advantage of the Exchange Server vulnerabilities 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-03-25T21:21:07+00:00","og_image":[{"width":820,"height":316,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"26 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Analyzing attacks taking advantage of the Exchange Server vulnerabilities","datePublished":"2021-03-25T21:21:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/"},"wordCount":4794,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities.png","keywords":["coin miner","Cybersecurity","DoejoCrypt","Exchange Server","exploits","Lemon Duck","Microsoft security intelligence","post-exploitation","Pydomer","ransomware","Vulnerabilities"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/","url":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/","name":"Analyzing attacks taking advantage of the Exchange Server vulnerabilities 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities.png","datePublished":"2021-03-25T21:21:07+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities.png","width":820,"height":316},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"coin miner","item":"https:\/\/www.threatshub.org\/blog\/tag\/coin-miner\/"},{"@type":"ListItem","position":3,"name":"Analyzing attacks taking advantage of the Exchange Server vulnerabilities"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/40165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=40165"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/40165\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/40166"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=40165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=40165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=40165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}