Mitigate Microsoft Exchange Server Vulnerabilities | CISA
Tags
Common Information
| Type | Value |
|---|---|
| UUID | c6579bc9-6200-4213-a492-e4e673544ae6 |
| Fingerprint | b611f851bf2791e3 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 3, 2021, midnight |
| Added to db | Sept. 26, 2022, 9:33 a.m. |
| Last updated | Nov. 17, 2024, 7:44 p.m. |
| Headline | Alert (AA21-062A) |
| Title | Mitigate Microsoft Exchange Server Vulnerabilities | CISA |
| Detected Hints/Tags/Attributes | 98/3/87 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://us-cert.cisa.gov/ncas/alerts/aa21-062a |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 184 | cve-2021-26855 |
|
| Details | CVE | 90 | cve-2021-26857 |
|
| Details | CVE | 92 | cve-2021-26858 |
|
| Details | CVE | 126 | cve-2021-27065 |
|
| Details | Domain | 154 | us-cert.cisa.gov |
|
| Details | Domain | 145 | www.us-cert.gov |
|
| Details | Domain | 22 | duckduckgo.com |
|
| Details | Domain | 335 | www.facebook.com |
|
| Details | Domain | 46 | www.baidu.com |
|
| Details | Domain | 88 | www.bing.com |
|
| Details | Domain | 454 | www.google.com |
|
| Details | Domain | 5 | help.yahoo.com |
|
| Details | Domain | 155 | yandex.com |
|
| Details | Domain | 4 | www.googlebot.com |
|
| Details | Domain | 7 | volexity.com |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 339 | system.net |
|
| Details | Domain | 46 | datetime.now |
|
| Details | Domain | 3 | accessdata.com |
|
| Details | Domain | 1 | kape.zip |
|
| Details | Domain | 34 | msrc-blog.microsoft.com |
|
| Details | Domain | 397 | www.microsoft.com |
|
| Details | 4 | threatintel@volexity.com |
||
| Details | File | 3 | test-proxylogon.ps1 |
|
| Details | File | 2 | eomt.ps1 |
|
| Details | File | 3 | logon.css |
|
| Details | File | 2 | owafont_ja.css |
|
| Details | File | 2 | lgnbotl.gif |
|
| Details | File | 2 | owafont_ko.css |
|
| Details | File | 1 | timeoutlogoff.aspx |
|
| Details | File | 4 | duckduckbot.html |
|
| Details | File | 5 | externalhit_uatext.php |
|
| Details | File | 6 | spider.html |
|
| Details | File | 85 | www.bin |
|
| Details | File | 6 | bingbot.htm |
|
| Details | File | 12 | bot.html |
|
| Details | File | 17 | main.css |
|
| Details | File | 7 | tunnel.aspx |
|
| Details | File | 1 | imager.pdf |
|
| Details | File | 1 | imager.exe |
|
| Details | File | 1 | kape.zip |
|
| Details | File | 4 | gkape.exe |
|
| Details | Github username | 24 | sensepost |
|
| Details | sha256 | 2 | 893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2 |
|
| Details | sha256 | 2 | 406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928 |
|
| Details | sha256 | 2 | 2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a |
|
| Details | sha256 | 4 | b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 |
|
| Details | sha256 | 3 | 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e |
|
| Details | sha256 | 3 | 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 |
|
| Details | sha256 | 4 | 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 |
|
| Details | sha256 | 4 | 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 |
|
| Details | sha256 | 4 | 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea |
|
| Details | sha256 | 4 | 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d |
|
| Details | sha256 | 3 | 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 |
|
| Details | IPv4 | 619 | 0.0.0.0 |
|
| Details | IPv4 | 4 | 103.77.192.219 |
|
| Details | IPv4 | 4 | 104.140.114.110 |
|
| Details | IPv4 | 4 | 104.250.191.110 |
|
| Details | IPv4 | 4 | 108.61.246.56 |
|
| Details | IPv4 | 4 | 149.28.14.163 |
|
| Details | IPv4 | 6 | 157.230.221.198 |
|
| Details | IPv4 | 6 | 167.99.168.251 |
|
| Details | IPv4 | 4 | 185.250.151.72 |
|
| Details | IPv4 | 4 | 192.81.208.169 |
|
| Details | IPv4 | 4 | 203.160.69.66 |
|
| Details | IPv4 | 4 | 211.56.98.146 |
|
| Details | IPv4 | 4 | 5.254.43.18 |
|
| Details | IPv4 | 3 | 5.2.69.14 |
|
| Details | IPv4 | 4 | 80.92.205.81 |
|
| Details | IPv4 | 3 | 91.192.103.43 |
|
| Details | Url | 4 | http://duckduckgo.com/duckduckbot.html |
|
| Details | Url | 5 | http://www.facebook.com/externalhit_uatext.php |
|
| Details | Url | 5 | http://www.baidu.com/search/spider.html |
|
| Details | Url | 6 | http://www.bing.com/bingbot.htm |
|
| Details | Url | 12 | http://www.google.com/bot.html |
|
| Details | Url | 4 | http://help.yahoo.com/help/us/ysearch/slurp |
|
| Details | Url | 4 | http://yandex.com/bots |
|
| Details | Url | 3 | http://www.googlebot.com/bot.html |
|
| Details | Url | 4 | https://github.com/sensepost/regeorg/blob/master/tunnel.aspx |
|
| Details | Url | 1 | https://accessdata.com/product-download/. |
|
| Details | Url | 1 | https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape. |
|
| Details | Url | 2 | https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server |
|
| Details | Url | 8 | https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers |
|
| Details | Url | 3 | https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities |
|
| Details | Url | 2 | https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021 |
|
| Details | Yara rule | 1 | rule webshell_aspx_simpleseesharp : Webshell Unclassified {
meta:
author = "threatintel@volexity.com"
date = "2021-03-01"
description = "A simple ASPX Webshell that allows an attacker to write further files to disk."
hash = "893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2"
strings:
$header = "<%@ Page Language=\"C#\" %>"
$body = "<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine"
condition:
$header at 0 and $body and filesize < 1KB
} |
|
| Details | Yara rule | 1 | rule webshell_aspx_sportsball : Webshell Unclassified {
meta:
author = "threatintel@volexity.com"
date = "2021-03-01"
description = "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system."
hash = "2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a"
strings:
$uniq1 = "HttpCookie newcook = new HttpCookie(\"fqrspt\", HttpContext.Current.Request.Form"
$uniq2 = "ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE="
$var1 = "Result.InnerText = string.Empty;"
$var2 = "newcook.Expires = DateTime.Now.AddDays("
$var3 = "System.Diagnostics.Process process = new System.Diagnostics.Process();"
$var4 = "process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\""
$var5 = "else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\""
$var6 = "<input type=\"submit\" value=\"Upload\" />"
condition:
any of ($uniq*) or all of ($var*)
} |