Until two weeks ago, thousands of Microsoft Exchange servers were under attack unknown to anyone. Since Microsoft and other researchers uncovered this severe cyber offensive against various U.S. institutions, organizations have been scrambling to patch the vulnerabilities used in the attack, understand the extent of potential damage, and ensure protection for next time (and there will be a next time). In this blog post, we'll explain how to do exactly that.

As we wrote in our earlier post, Hafnium, the Chinese APT group behind the attacks, used a set of four previously unknown Exchange Server vulnerabilities to access victim mailboxes, and perform remote code execution (RCE). The attacks played out as follows:

  • The attackers first used the vulnerabilities or stolen passwords to gain access to the server.

  • Then, they created a web shell, allowing them remote control of the compromised server.

  • At that point they had full control, with the ability to steal mailbox contents and data from the victim organization. They could also use this access as a beachhead and then move laterally within the organizations' infrastructure.

 

Blocking Anonymous VPN Services

Threat actors, including Hafnium, have been observed using anonymous VPN services as part of the attacks leveraging MS Exchange 0-day vulnerabilities. Yes, anonymous VPN is that thing many people use to trick Netflix into letting them access a different country’s content library. Not surprisingly, cyber criminals are also in on the deal with this simple-to-use technology that proves to be so effective in disguising large scale attacks. Blacklisting the IPs of these anonymous services protects users from suspicious and potentially malicious traffic, and could have protected the victims of this attack. ThreatSTOP customers are protected by our Anonymous VPN Services Exit – IPs target, which blocks traffic from anonymous VPN providers.

 

Using Threat Intelligence to block attacks

Once an attack becomes known and researchers start delving in to the attack methods and infrastructure, numerous indicators of compromise (IOCs) are published, either publicly or through paid subscriptions and partnerships. The problem, therefore, is not insufficient data. The challenge is aggregating and implementing it all. Applying blocklists that include all the latest IOCs for a given attack dramatically strengthens your first line of defense, and simply eliminates attacks attempting to use those IOCs. We automatically aggregate high-quality threat intelligence from over 800 sources, updated minute-by-minute with all the newest IOCs as they are uncovered.

Following the reveal of the MS Exchange attacks, our security team has built URL, Domain and IP lists for these attacks. Much of the data has been included in these lists thanks to Blue Team Blog, as well as other threat intelligence sources and security blogs. If you are already a ThreatSTOP customer, you are automatically protected from this attack infrastructure as well as other threats like this. Not a ThreatSTOP user yet? Add these IOCs to your blocklists to ensure you are protected from now on from these adversaries and campaigns.

Ready to try ThreatSTOP in your network ? Want an expert-led demo to see how it works?

Get a Demo

 

 

URLs:

IOC Details Source
http://www[.]lingx[.]club/javac CVE-2021-21972 Payload Bad Packets
hxxp://cdn[.]chatcdn[.]net/p?low   Blue Team Blog
hxxp://p[.]estonine[.]com/p?e   Blue Team Blog
hxxp://api.onedvirer[.]xyz/api/write   AlienVault
hxxp://api.onedvirer[.]xyz/api/read   AlienVault

 

Domains:

IOC Details Source
rawfuns[.]com Calypso C2 Server ESET
yolkish[.]com Calypso C2 Server ESET
p.estonine[.]com DLTMiner C2 Server ESET
www.averyspace[.]net Tick Delphi Backdoor C2 Server ESET
www.komdsecko[.]net Tick Delphi Backdoor C2 Server ESET
lab.symantecsafe[.]org Tonto Team ShadowPad C2 Server ESET
ns.rtechs[.]org Unclassified ShadowPad C2 Server ESET
soft.mssysinfo[.]xyz Unclassified ShadowPad C2 Server ESET
mm.portomnail[.]com Winnti Group PlugX C2 Server ESET
t.zer9g[.]com LemonDuck Botnet AlienVault
back.rooter[.]tk   AlienVault

 

IP Addresses:

IOC Details Source
103.77.192[.]219 VPS / VPN Services Volexity
104.140.114[.]110 VPS / VPN Services Volexity
104.250.191[.]110 VPS / VPN Services Volexity
108.61.246[.]56 VPS / VPN Services Volexity
149.28.14[.]163 VPS / VPN Services Volexity
157.230.221[.]198 VPS / VPN Services Volexity
167.99.168[.]251 VPS / VPN Services Volexity
185.250.151[.]72 VPS / VPN Services Volexity
192.81.208[.]169 VPS / VPN Services Volexity
203.160.69[.]66 VPS / VPN Services Volexity
211.56.98[.]146 VPS / VPN Services Volexity
5.254.43[.]18 VPS / VPN Services Volexity
80.92.205[.]81 VPS / VPN Services Volexity
182.239.123[.]241 Exploitation and Webshell Interaction KyleHanslovan
182.239.124[.]180 Exploitation and Webshell Interaction KyleHanslovan
34.90.207[.]23 LuckyMouse SysUpdate C2 Server ESET
194.68.44[.]19 Mikroceen Proxy C2 Server ESET
172.105.18[.]72 Mikroceen RAT C2 Server ESET
86.105.18[.]116 Opera Cobalt Strike C2 & Distribution Server ESET
89.34.111[.]11 Opera Cobalt Strike Distribution Server ESET
77.83.159[.]15 Tonto Team Distribution Server ESET
back.rooter[.]tk Winnti Group PlugX C2 Server ESET
161.129.64[.]124 Winnti Malware C2 Server ESET
45.114.130[.]89 Proxy Logon and File Write Exploit DFIR
172.105.174[.]117 Scanning Exchange Webshells DFIR
104.197.133[.]59 Exploits Attempt Source Bad Packets
183.136.225[.]46 Checking for Exchange Servers vulnerable to CVE-2021-26855 Blue Team Blog
152.32.174[.]110 C2 Server AlienVault
45.249.244[.]118   AlienVault
45.133.119[.]141   AlienVault
104.225.219[.]16   Blue Team Blog
104.248.49[.]97   Blue Team Blog
112.66.255[.]71   Blue Team Blog
139.59.56[.]239   Blue Team Blog
159.89.95[.]163   Blue Team Blog
161.35.76[.]1   Blue Team Blog
165.232.154[.]116   Blue Team Blog
185.173.235[.]172   Blue Team Blog
185.173.235[.]54   Blue Team Blog
185.65.134[.]165   Blue Team Blog
188.166.162[.]201   Blue Team Blog
198.50.168[.]176   Blue Team Blog
34.87.113[.]30   Blue Team Blog
45.154.2[.]94   Blue Team Blog
77.61.36[.]169   Blue Team Blog
1.36.203[.]86   badExchangePews Community List
1.65.152[.]106   badExchangePews Community List
1.9.2[.]18   badExchangePews Community List
103.135.248[.]70   badExchangePews Community List
103.212.223[.]210   badExchangePews Community List
108.172.93[.]199   badExchangePews Community List
108.61.171[.]184   badExchangePews Community List
110.36.235[.]230   badExchangePews Community List
110.36.238[.]2   badExchangePews Community List
110.39.189[.]202   badExchangePews Community List
112.168.90[.]84   badExchangePews Community List
113.173.3[.]225   badExchangePews Community List
114.205.37[.]150   badExchangePews Community List
116.49.101[.]143   badExchangePews Community List
117.146.53[.]162   badExchangePews Community List
119.197.26[.]38   badExchangePews Community List
119.231.129[.]222   badExchangePews Community List
121.154.50[.]51   badExchangePews Community List
121.174.31[.]220   badExchangePews Community List
121.176.145[.]25   badExchangePews Community List
122.213.178[.]102   badExchangePews Community List
123.16.231[.]247   badExchangePews Community List
124.5.24[.]161   badExchangePews Community List
128.90.21[.]223   badExchangePews Community List
161.35.45[.]41   badExchangePews Community List
167.179.67[.]3   badExchangePews Community List
170.10.228[.]74   badExchangePews Community List
172.105.87[.]139   badExchangePews Community List
179.1.65[.]54   badExchangePews Community List
182.165.53[.]4   badExchangePews Community List
182.18.152[.]105   badExchangePews Community List
185.171.166[.]188   badExchangePews Community List
185.224.83[.]137   badExchangePews Community List
185.65.134[.]170   badExchangePews Community List
200.52.177[.]138   badExchangePews Community List
201.17.196[.]211   badExchangePews Community List
201.208.18[.]226   badExchangePews Community List
202.182.118[.]99   badExchangePews Community List
209.58.163[.]131   badExchangePews Community List
211.177.182[.]80   badExchangePews Community List
213.219.235[.]158   badExchangePews Community List
218.39.251[.]104   badExchangePews Community List
219.100.37[.]239   badExchangePews Community List
219.100.37[.]243   badExchangePews Community List
219.78.205[.]63   badExchangePews Community List
23.95.80[.]191   badExchangePews Community List
31.182.197[.]163   badExchangePews Community List
31.28.31[.]132   badExchangePews Community List
34.87.189[.]145   badExchangePews Community List
39.123.17[.]120   badExchangePews Community List
45.77.252[.]175   badExchangePews Community List
46.101.232[.]43   badExchangePews Community List
46.23.196[.]21   badExchangePews Community List
46.244.29[.]17   badExchangePews Community List
49.36.47[.]211   badExchangePews Community List
5.189.162[.]164   badExchangePews Community List
5.2.69[.]13   badExchangePews Community List
58.126.135[.]235   badExchangePews Community List
58.190.46[.]175   badExchangePews Community List
61.82.150[.]49   badExchangePews Community List
78.188.104[.]84   badExchangePews Community List
78.189.225[.]136   badExchangePews Community List
89.147.119[.]227   badExchangePews Community List
90.230.190[.]92   badExchangePews Community List
91.192.103[.]43   badExchangePews Community List