Until two weeks ago, thousands of Microsoft Exchange servers were under attack unknown to anyone. Since Microsoft and other researchers uncovered this severe cyber offensive against various U.S. institutions, organizations have been scrambling to patch the vulnerabilities used in the attack, understand the extent of potential damage, and ensure protection for next time (and there will be a next time). In this blog post, we'll explain how to do exactly that.
As we wrote in our earlier post, Hafnium, the Chinese APT group behind the attacks, used a set of four previously unknown Exchange Server vulnerabilities to access victim mailboxes, and perform remote code execution (RCE). The attacks played out as follows:
The attackers first used the vulnerabilities or stolen passwords to gain access to the server.
Then, they created a web shell, allowing them remote control of the compromised server.
At that point they had full control, with the ability to steal mailbox contents and data from the victim organization. They could also use this access as a beachhead and then move laterally within the organizations' infrastructure.
Threat actors, including Hafnium, have been observed using anonymous VPN services as part of the attacks leveraging MS Exchange 0-day vulnerabilities. Yes, anonymous VPN is that thing many people use to trick Netflix into letting them access a different country’s content library. Not surprisingly, cyber criminals are also in on the deal with this simple-to-use technology that proves to be so effective in disguising large scale attacks. Blacklisting the IPs of these anonymous services protects users from suspicious and potentially malicious traffic, and could have protected the victims of this attack. ThreatSTOP customers are protected by our Anonymous VPN Services Exit – IPs target, which blocks traffic from anonymous VPN providers.
Once an attack becomes known and researchers start delving in to the attack methods and infrastructure, numerous indicators of compromise (IOCs) are published, either publicly or through paid subscriptions and partnerships. The problem, therefore, is not insufficient data. The challenge is aggregating and implementing it all. Applying blocklists that include all the latest IOCs for a given attack dramatically strengthens your first line of defense, and simply eliminates attacks attempting to use those IOCs. We automatically aggregate high-quality threat intelligence from over 800 sources, updated minute-by-minute with all the newest IOCs as they are uncovered.
Following the reveal of the MS Exchange attacks, our security team has built URL, Domain and IP lists for these attacks. Much of the data has been included in these lists thanks to Blue Team Blog, as well as other threat intelligence sources and security blogs. If you are already a ThreatSTOP customer, you are automatically protected from this attack infrastructure as well as other threats like this. Not a ThreatSTOP user yet? Add these IOCs to your blocklists to ensure you are protected from now on from these adversaries and campaigns.
Ready to try ThreatSTOP in your network ? Want an expert-led demo to see how it works?
URLs:
| IOC | Details | Source |
| http://www[.]lingx[.]club/javac | CVE-2021-21972 Payload | Bad Packets |
| hxxp://cdn[.]chatcdn[.]net/p?low | Blue Team Blog | |
| hxxp://p[.]estonine[.]com/p?e | Blue Team Blog | |
| hxxp://api.onedvirer[.]xyz/api/write | AlienVault | |
| hxxp://api.onedvirer[.]xyz/api/read | AlienVault |
Domains:
| IOC | Details | Source |
| rawfuns[.]com | Calypso C2 Server | ESET |
| yolkish[.]com | Calypso C2 Server | ESET |
| p.estonine[.]com | DLTMiner C2 Server | ESET |
| www.averyspace[.]net | Tick Delphi Backdoor C2 Server | ESET |
| www.komdsecko[.]net | Tick Delphi Backdoor C2 Server | ESET |
| lab.symantecsafe[.]org | Tonto Team ShadowPad C2 Server | ESET |
| ns.rtechs[.]org | Unclassified ShadowPad C2 Server | ESET |
| soft.mssysinfo[.]xyz | Unclassified ShadowPad C2 Server | ESET |
| mm.portomnail[.]com | Winnti Group PlugX C2 Server | ESET |
| t.zer9g[.]com | LemonDuck Botnet | AlienVault |
| back.rooter[.]tk | AlienVault |
IP Addresses:
| IOC | Details | Source |
| 103.77.192[.]219 | VPS / VPN Services | Volexity |
| 104.140.114[.]110 | VPS / VPN Services | Volexity |
| 104.250.191[.]110 | VPS / VPN Services | Volexity |
| 108.61.246[.]56 | VPS / VPN Services | Volexity |
| 149.28.14[.]163 | VPS / VPN Services | Volexity |
| 157.230.221[.]198 | VPS / VPN Services | Volexity |
| 167.99.168[.]251 | VPS / VPN Services | Volexity |
| 185.250.151[.]72 | VPS / VPN Services | Volexity |
| 192.81.208[.]169 | VPS / VPN Services | Volexity |
| 203.160.69[.]66 | VPS / VPN Services | Volexity |
| 211.56.98[.]146 | VPS / VPN Services | Volexity |
| 5.254.43[.]18 | VPS / VPN Services | Volexity |
| 80.92.205[.]81 | VPS / VPN Services | Volexity |
| 182.239.123[.]241 | Exploitation and Webshell Interaction | KyleHanslovan |
| 182.239.124[.]180 | Exploitation and Webshell Interaction | KyleHanslovan |
| 34.90.207[.]23 | LuckyMouse SysUpdate C2 Server | ESET |
| 194.68.44[.]19 | Mikroceen Proxy C2 Server | ESET |
| 172.105.18[.]72 | Mikroceen RAT C2 Server | ESET |
| 86.105.18[.]116 | Opera Cobalt Strike C2 & Distribution Server | ESET |
| 89.34.111[.]11 | Opera Cobalt Strike Distribution Server | ESET |
| 77.83.159[.]15 | Tonto Team Distribution Server | ESET |
| back.rooter[.]tk | Winnti Group PlugX C2 Server | ESET |
| 161.129.64[.]124 | Winnti Malware C2 Server | ESET |
| 45.114.130[.]89 | Proxy Logon and File Write Exploit | DFIR |
| 172.105.174[.]117 | Scanning Exchange Webshells | DFIR |
| 104.197.133[.]59 | Exploits Attempt Source | Bad Packets |
| 183.136.225[.]46 | Checking for Exchange Servers vulnerable to CVE-2021-26855 | Blue Team Blog |
| 152.32.174[.]110 | C2 Server | AlienVault |
| 45.249.244[.]118 | AlienVault | |
| 45.133.119[.]141 | AlienVault | |
| 104.225.219[.]16 | Blue Team Blog | |
| 104.248.49[.]97 | Blue Team Blog | |
| 112.66.255[.]71 | Blue Team Blog | |
| 139.59.56[.]239 | Blue Team Blog | |
| 159.89.95[.]163 | Blue Team Blog | |
| 161.35.76[.]1 | Blue Team Blog | |
| 165.232.154[.]116 | Blue Team Blog | |
| 185.173.235[.]172 | Blue Team Blog | |
| 185.173.235[.]54 | Blue Team Blog | |
| 185.65.134[.]165 | Blue Team Blog | |
| 188.166.162[.]201 | Blue Team Blog | |
| 198.50.168[.]176 | Blue Team Blog | |
| 34.87.113[.]30 | Blue Team Blog | |
| 45.154.2[.]94 | Blue Team Blog | |
| 77.61.36[.]169 | Blue Team Blog | |
| 1.36.203[.]86 | badExchangePews Community List | |
| 1.65.152[.]106 | badExchangePews Community List | |
| 1.9.2[.]18 | badExchangePews Community List | |
| 103.135.248[.]70 | badExchangePews Community List | |
| 103.212.223[.]210 | badExchangePews Community List | |
| 108.172.93[.]199 | badExchangePews Community List | |
| 108.61.171[.]184 | badExchangePews Community List | |
| 110.36.235[.]230 | badExchangePews Community List | |
| 110.36.238[.]2 | badExchangePews Community List | |
| 110.39.189[.]202 | badExchangePews Community List | |
| 112.168.90[.]84 | badExchangePews Community List | |
| 113.173.3[.]225 | badExchangePews Community List | |
| 114.205.37[.]150 | badExchangePews Community List | |
| 116.49.101[.]143 | badExchangePews Community List | |
| 117.146.53[.]162 | badExchangePews Community List | |
| 119.197.26[.]38 | badExchangePews Community List | |
| 119.231.129[.]222 | badExchangePews Community List | |
| 121.154.50[.]51 | badExchangePews Community List | |
| 121.174.31[.]220 | badExchangePews Community List | |
| 121.176.145[.]25 | badExchangePews Community List | |
| 122.213.178[.]102 | badExchangePews Community List | |
| 123.16.231[.]247 | badExchangePews Community List | |
| 124.5.24[.]161 | badExchangePews Community List | |
| 128.90.21[.]223 | badExchangePews Community List | |
| 161.35.45[.]41 | badExchangePews Community List | |
| 167.179.67[.]3 | badExchangePews Community List | |
| 170.10.228[.]74 | badExchangePews Community List | |
| 172.105.87[.]139 | badExchangePews Community List | |
| 179.1.65[.]54 | badExchangePews Community List | |
| 182.165.53[.]4 | badExchangePews Community List | |
| 182.18.152[.]105 | badExchangePews Community List | |
| 185.171.166[.]188 | badExchangePews Community List | |
| 185.224.83[.]137 | badExchangePews Community List | |
| 185.65.134[.]170 | badExchangePews Community List | |
| 200.52.177[.]138 | badExchangePews Community List | |
| 201.17.196[.]211 | badExchangePews Community List | |
| 201.208.18[.]226 | badExchangePews Community List | |
| 202.182.118[.]99 | badExchangePews Community List | |
| 209.58.163[.]131 | badExchangePews Community List | |
| 211.177.182[.]80 | badExchangePews Community List | |
| 213.219.235[.]158 | badExchangePews Community List | |
| 218.39.251[.]104 | badExchangePews Community List | |
| 219.100.37[.]239 | badExchangePews Community List | |
| 219.100.37[.]243 | badExchangePews Community List | |
| 219.78.205[.]63 | badExchangePews Community List | |
| 23.95.80[.]191 | badExchangePews Community List | |
| 31.182.197[.]163 | badExchangePews Community List | |
| 31.28.31[.]132 | badExchangePews Community List | |
| 34.87.189[.]145 | badExchangePews Community List | |
| 39.123.17[.]120 | badExchangePews Community List | |
| 45.77.252[.]175 | badExchangePews Community List | |
| 46.101.232[.]43 | badExchangePews Community List | |
| 46.23.196[.]21 | badExchangePews Community List | |
| 46.244.29[.]17 | badExchangePews Community List | |
| 49.36.47[.]211 | badExchangePews Community List | |
| 5.189.162[.]164 | badExchangePews Community List | |
| 5.2.69[.]13 | badExchangePews Community List | |
| 58.126.135[.]235 | badExchangePews Community List | |
| 58.190.46[.]175 | badExchangePews Community List | |
| 61.82.150[.]49 | badExchangePews Community List | |
| 78.188.104[.]84 | badExchangePews Community List | |
| 78.189.225[.]136 | badExchangePews Community List | |
| 89.147.119[.]227 | badExchangePews Community List | |
| 90.230.190[.]92 | badExchangePews Community List | |
| 91.192.103[.]43 | badExchangePews Community List |