Microsoft IOC Detection Tool for Exchange Server vulnerabilities



Fortify Security Team



Sep 28, 2024

Microsoft has released the EOMT.ps1 tool that can automate portions of both the detection and patching process and help your organization check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.

In addition, CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities: https://us-cert.cisa.gov/ncas/alerts/aa21-062a. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actors can upload a webshell to enable remote administration of the affected system.

CISA has also added information on ransomware activity associated with exploitation of the Exchange Server products, including DearCry ransomware.

CISA encourages users and administrators to review the following resources for more information.

Microsoft IOC Detection Tool for Exchange Server Vulnerabilities: https://github.com/microsoft/CSS-Exchange/tree/main/Security
Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities: https://us-cert.cisa.gov/ncas/alerts/aa21-062a
MAR-10328877-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072a
MAR-10328923-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072b
MAR-10329107-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072c
MAR-10329297-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072d
MAR-10329298-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072e
MAR-10329301-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072f
MAR-10329494-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072g
CISA’s Remediating Microsoft Exchange Vulnerabilities web page: https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities
CISA’s Ransomware Guidance and Resources web page: https://www.cisa.gov/ransomware

← Prev

Next →

CVE-2022-30190 aka Follina

Sep 28, 2024 | Cyberthreat Research

Move over log4j, there is a new 0-day vulnerability being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Successful exploitation allows an attacker to run arbitrary code with the privileges of the...

AppleJeus: Analysis of North Korea’s Cryptocurrency Malware

Sep 28, 2024 | Cyberthreat Research, Security Advisories

Summary This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. This joint advisory is the result of analytic efforts among...

BlackCat/ALPHV Ransomware IOCs

Sep 28, 2024 | Cyberthreat Research

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

IOCs Associated with Ranzy Locker Ransomware

Sep 28, 2024 | Cyberthreat Research

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...

IOCs Associated with Ranzy Locker Ransomware

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...

Conti Ransomware

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployer's of the ransomware a wage rather than a...

BlackMatter Ransomware

This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised...