On-prem Exchange Exploitation
Update 6 - 03/03/2021 - 1013 ET We're just starting to get into analyzing actor behavior with the webshells. Thus far, we've seen two IP addresses tied to Digital Ocean droplets that were used to connect into the webshells:
165.232.154[.]116 <-- not listed in Volexity's amazing blog
The actions observed thus far have involved using net.exe to add and/or delete administrators from the "Exchange Organization administrators" group. It's worth noting that other researchers have highlighted the use of ProcDump to capture credentials/hashes stored within LSASS process memory. Considering the actor's use of multiple 0days, this loud/overt tradecraft is a somewhat surprising combination. Then again, the actor appears to have sprayed this exploit all over the internet, so perhaps its modus operandi is closer to "YOLO"?