🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Advisory Type |
Vulnerability Intelligence | ||||||||||
CVE Chain |
|
||||||||||
Threat Listing |
Hafnium (Nation State Actor), UNC2639, UNC2640, and UNC2643 Cryptominers Unauthorized WebShells DearCry Ransomware | ||||||||||
Affected System |
(On-premise only) Microsoft Exchange Servers 2019, 2016, 2013 | ||||||||||
Platform |
Windows |
Tactics |
Procedure/Tools |
Command Execution | ASPX/PHP WebShells |
Credential Dumping | rundll32 C:\windows\system32\comsvcs.dll MiniDump lsass.dmp |
Lateral Movement | PsExec |
Persistence | Domain Account UserAddition |
Exfiltration | WinRar Command Line Utility to archive data for exfiltration |
IP Addresses |
103.77.192.219 104.140.114.110 104.250.191.110 108.61.246.56 149.28.14.163 157.230.221.198 167.99.168.251 185.250.151.72 192.81.208.169 203.160.69.66 211.56.98.146 5.254.43.18 80.92.205.81 |
Ransomware Hashes |
feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff |
WebShell Hashes |
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 |
WebShell Indicators |
\inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders) \<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx) \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install) \<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\<any aspx file in this folder or subfolders> \<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\<any aspx file in this folder or subfolders> |
HTTP POST Requests |
/owa/auth/Current/themes/resources/logon.css /owa/auth/Current/themes/resources/owafont_ja.css /owa/auth/Current/themes/resources/lgnbotl.gif /owa/auth/Current/themes/resources/owafont_ko.css /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf /owa/auth/Current/themes/resources/lgnbotl.gif POST /owa/auth/Current/ POST /ecp/default.flt POST /ecp/main.css POST /ecp/<single char>.js |
Exchange Control Panel [ECP] Logs for RCE |
S:CMD=Set-OabVirtualDirectory.ExternalUrl=' |
Post Exploitation Tools |
Procdump Nishang PowerCat |