top of page
  • Network Services

On-prem Exchange Exploitation

huntresslabs Vendor 11 hours ago·edited 2 hours ago

Update 6 - 03/03/2021 - 1013 ET We're just starting to get into analyzing actor behavior with the webshells. Thus far, we've seen two IP addresses tied to Digital Ocean droplets that were used to connect into the webshells:

The actions observed thus far have involved using net.exe to add and/or delete administrators from the "Exchange Organization administrators" group. It's worth noting that other researchers have highlighted the use of ProcDump to capture credentials/hashes stored within LSASS process memory. Considering the actor's use of multiple 0days, this loud/overt tradecraft is a somewhat surprising combination. Then again, the actor appears to have sprayed this exploit all over the internet, so perhaps its modus operandi is closer to "YOLO"?

16 views0 comments

Recent Posts

See All

Cybersecurity Training is Essential!

Why Employee Cyber-Awareness is Critical Every Day, Not Just During a Crisis - Infosecurity Magazine ( 2020 State of the Phish: An in-depth look at user awareness, vulnerabil


bottom of page