New Wave of Targeted Hacking Campaigns and Ransomware Attacks Exploiting Microsoft Exchange Server Vulnerabilities

Multiple threat actors, including Hafnium, LuckyMouse, Calypso, Winnti, Bronze Butler, Websiic, Tonto, Mikroceen, and DLTMiner, are actively targeting four zero-day Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in their targeted malware attacks and hacking campaigns.

These threat actors managed to compromise nearly 30,000 Microsoft Exchange servers located within the United States. Approximately 7,000 organizations worldwide are impacted by the on-going cyber-attacks on these servers.

European Banking Authority (EBA) and the Norwegian Parliament are two high-profile victims among them. Threat actors behind the breaches in these two organizations managed to exfiltrate data onto the attacker-controlled virtual private servers (VPS).

Recently, DearCry (.CRYPT) ransomware operators also began taking advantage of these vulnerabilities to perform unauthorized data encryption on compromised Microsoft Exchange servers. This raises severe concerns about the risk of data loss and interruptions in business operations for many organizations worldwide.

1. Who is at risk?

These threat actors target organizations across sectors in the Americas, Europe, Middle East, and APAC. The victims could also include research organizations, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs. The attackers’ goal could be to exfiltrate large amounts of sensitive data through their leased virtual private servers (VPS).

Considering the range of organizations attacked in a short period and the vast number of organizations using Microsoft Exchange Servers, the attackers have a wide variety of potential-targets across the globe.


2. How are the attacks carried out?

The threat actors use exploit codes that send well-crafted HTTP requests towards vulnerable Exchange Servers. These codes target server-side request forgery vulnerability (CVE-2021-26855) to trigger authentication and gain unauthorized initial-access into the servers.

After gaining initial-access, these threat actors proceed to exploit the insecure deserialization vulnerability (CVE-2021-26857) in the servers, allowing them to execute an arbitrary code in the context of the SYSTEM privilege account.

They exploit either of the two arbitrary file-write vulnerabilities, namely, CVE-2021-26858 or CVE-2021-27065. Then they deploy the China Chopper webshell onto the compromised Microsoft Exchange server.

Through the China Chopper webshell, threat actors can perform multiple unauthorized activities such as,

  • Dumping the LSASS process memory using Procdump
  • Compressing stolen data into a ZIP archive (using 7-zip) before exfiltration
  • Adding and using Exchange PowerShell snap-ins to export mailbox data
  • Invoke-PowerShellTcpOneLine reverse shell, using Nishang
  • Open a connection to a remote server using PowerCat
  • Downloading offline address books from compromised Microsoft Exchange servers containing information on an organization and its users

On February 18, 2021, Microsoft disclosed a data breach incident caused by the threat actors behind SolarWinds supply chain attack. During the SolarWinds breach, threat actors managed to exfiltrate a portion of the source codes related to Microsoft Exchange and Microsoft Azure products. These on-going malware attacks and hacking campaigns exploiting the Microsoft Exchange Server vulnerabilities could be the follow-up cyber-attacks connected to the SolarWinds breach.

3. Who are the threat actors, and why are they dangerous?

Multiple threat actors, including Hafnium, LuckyMouse, Calypso, Winnti, Bronze Butler, Websiic, Tonto, Mikroceen, and DLTMiner, are taking advantage of the Microsoft Exchange vulnerabilities in their targeted malware attacks and hacking campaigns.

These threat actors continue to target multiple federal, state, and local government organizations and private organizations in medical, legal, telecommunications, finance, energy, and other sectors.

Since the last three months, threat actors are more focused on the usage of webshell as a standard method to gain and retain initial footholds to distribute staged payloads. This increases the potential impact in the post-exploitation phase.

For instance, DearCry ransomware operators taking advantage of Microsoft Exchange vulnerabilities have also adopted webshell as a preferred method to distribute the ransomware attack further.

The future threat landscape for web application services is drastically affected due to the increasing usage of webshell and steganography, two extremely successful attack delivery methods. They have a low detection rate and can cause considerable damage to many organizations worldwide.


4. What can you do to mitigate or prevent such attacks?

Cyber-attacks can be detected, contained, and prevented at the earliest, only when organizations act timely and responsibly. Following the best cybersecurity practices is instrumental in preventing such attacks.

Below are a few critical remediations to reduce or eliminate the risk posed by the threat actors leveraging Microsoft Exchange vulnerabilities:

  • Apply security patches for Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
  • Ensure that Microsoft Exchange servers follow best security practices and that they are timely reviewed to eliminate any risk caused by access control or misconfiguration issues
  • Block IPS signatures related to vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
  • Enable File Integrity Monitoring (FIM) for files and directories on Microsoft Exchange servers
  • Block malicious IP addresses, hashes, user-agents, and non-standard user-agents
  • Create SIEM use-cases to monitor network traffics and endpoint security reports for a potential match against IOCs
  • Run Microsoft Safety Scanner on Microsoft Exchange, Microsoft Azure, and Microsoft Windows servers
  • Run Microsoft one-click EOMT tool on Microsoft Exchange
  • Ensure data backup is done periodically via the out-of-band network onto the server with limited or no internet access


Follow these recommendations for additional protection:

  • Strictly ensure that TCP Port 135, TCP Port 445, and TCP Port 3389 are not left open on the Internet or DMZ facing side
  • Ensure TCP Port 135 (RPC), TCP Port 445 (SMB), and TCP Port 3389 (RDP) are only accessible through VPN tunnel between VPN clients’ and organization’s resources
  • Ensure that proper network segmentation is done and that the communication through TCP Port 135, TCP Port 445, and TCP Port 3389 is explicitly allowed on-demand only for particular network segments when needed
  • Network segments that allow communication over TCP Port 135, TCP Port 445, and TCP Port 3389 should be strictly monitored for any anomalies or suspicious patterns like lateral movement, excessive network traffic, an unusual amount of data transmission, etc.
  • VNC (5900), SOCKS (1080), and SMTP (587) ports should be closely monitored
  • Monitor network traffic towards malware C2 ports 4701, 4313, and 4315
  • Enable deep inspection for outbound FTP and HTTP traffic passing through Web Application Firewall (WAF)
  • Enforce Two-Factor authentication for VPN clients prior to connecting to the organization’s resources through the VPN tunnel
  • VPN client software and VPN servers should be patched with the latest security updates released by the vendor
  • Monitor for excessive LDAP queries from particular systems via SIEM solution
  • Domain Accounts should follow the least privilege principle, and Two-Factor authentication should be enabled on all business email accounts





Indicators of Compromise (IOCs):






Hash (SHA-256): feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
Hash (SHA-256): e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
Hash (SHA-256): 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da
Hash (SHA-256): 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
Hash (SHA-256): b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
Hash (SHA-256): 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
Hash (SHA-256): 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
Hash (SHA-256): 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
Hash (SHA-256): 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
Hash (SHA-256): 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
Hash (SHA-256): 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
Hash (SHA-256): 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
Hash (SHA-256): 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e
Hash (SHA-256): 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc
Hash (SHA-256): a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a
User-Agent: ExchangeServicesClient/
User-Agent: python-requests/2.19.1
User-Agent: python-requests/2.25.1
Non-Standard User-Agent: DuckDuckBot/1.0;+(+
Non-Standard User-Agent: facebookexternalhit/1.1+(+
Non-Standard User-Agent: Mozilla/5.0+(compatible;+Baiduspider/2.0;++
Non-Standard User-Agent: Mozilla/5.0+(compatible;+Bingbot/2.0;++
Non-Standard User-Agent: Mozilla/5.0+(compatible;+Googlebot/2.1;++
Non-Standard User-Agent: Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
Non-Standard User-Agent: Mozilla/5.0+(compatible;+Yahoo!+Slurp;+
Non-Standard User-Agent: Mozilla/5.0+(compatible;+YandexBot/3.0;++
Non-Standard User-Agent: Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36
Remote Command: S:CMD=Set-OabVirtualDirectory.ExternalUrl=’
WebShell Filename: web.aspx
WebShell Filename: help.aspx
WebShell Filename: document.aspx
WebShell Filename: errorEE.aspx
WebShell Filename: errorEEE.aspx
WebShell Filename: errorEW.aspx
WebShell Filename: errorFF.aspx
WebShell Filename: healthcheck.aspx
WebShell Filename: aspnet_www.aspx
WebShell Filename: aspnet_client.aspx
WebShell Filename: xx.aspx
WebShell Filename: shell.aspx
WebShell Filename: aspnet_iisstart.aspx
WebShell Filename: one.aspx
Targeted Filename: /owa/auth/Current/themes/resources/logon.css
Targeted Filename: /owa/auth/Current/themes/resources/owafont_ja.css
Targeted Filename: /owa/auth/Current/themes/resources/lgnbotl.gif
Targeted Filename: /owa/auth/Current/themes/resources/owafont_ko.css
Targeted Filename: /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
Targeted Filename: /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
Targeted Filename: /owa/auth/Current/themes/resources/lgnbotl.gif
Targeted IIS Path: C:\inetpub\wwwroot\aspnet_client\
Targeted IIS Path: C:\inetpub\wwwroot\aspnet_client\system_web\
Targeted Exchange Path: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
Targeted Exchange Path: C:\Exchange\FrontEnd\HttpProxy\owa\auth\



Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.