top of page
Search
  • Network Services

On-prem Exchange Exploitation

huntresslabs Vendor 11 hours ago·edited 2 hours ago

Update 6 - 03/03/2021 - 1013 ET We're just starting to get into analyzing actor behavior with the webshells. Thus far, we've seen two IP addresses tied to Digital Ocean droplets that were used to connect into the webshells:

The actions observed thus far have involved using net.exe to add and/or delete administrators from the "Exchange Organization administrators" group. It's worth noting that other researchers have highlighted the use of ProcDump to capture credentials/hashes stored within LSASS process memory. Considering the actor's use of multiple 0days, this loud/overt tradecraft is a somewhat surprising combination. Then again, the actor appears to have sprayed this exploit all over the internet, so perhaps its modus operandi is closer to "YOLO"?

16 views0 comments

Recent Posts

See All

Commentaires

Les commentaires n'ont pas pu être chargés.
Il semble qu'un problème technique est survenu. Veuillez essayer de vous reconnecter ou d'actualiser la page.
bottom of page