[SANS ISC] Scanning for Microsoft Exchange eDiscovery, (Fri, Aug 13th)

Scanning for Microsoft Exchange eDiscovery

In the past week, I have notice more scans looking for the following Exchange URL over port 443: /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application

What I have also noticed, all these scans for this URL are all from the same subnet (AS14061) DIGITALOCEAN-192-241-128-0.

This activity is likely linked to April Patch Tuesday (CVE-2021-28481) where “Also of significant note are the Microsoft Exchange Server Remote Code Execution vulnerabilities across versions 2013 – 2019. No known exploits are being reported however the CVSS score sits at 9.8, tread carefully. With a Critical rating, and a high CVSS score, those patches are worth reviewing in depth.”[1]

Based on this graph, these scans started almost immediately (17 April 2021) after April patch Tuesday and are still ongoing today.

Sample Log

20210812-170532: data
GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1
Host: XX.XX.28.221
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip

Indicators of Compromise → AS14061

Have you noticed an increase in scans for this URL?

[1] https://isc.sans.edu/forums/diary/Microsoft+April+2021+Patch+Tuesday/27306
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28481
[3] https://isc.sans.edu/forums/diary/Microsoft+Releases+Exchange+Emergency+Patch+to+Fix+Actively+Exploited+Vulnerability/27164

Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[BleepingComputer] Linux system service bug lets you get root on most modern distros

Unprivileged attackers can get a root shell by exploiting an authentication bypass vulnerability in the polkit auth system service installed by default on many modern Linux distributions. […] Source: Read More (BleepingComputer)

Read More

[TheRecord] Chinese espionage group deploys new rootkit compatible with Windows 10 systems

At the SAS 2021 security conference today, analysts from security firm Kaspersky Lab have published details about a new Chinese cyber-espionage group that has been targeting high-profile entities across South East Asia since at least July 2020. Named GhostEmperor, Kaspersky said the group uses highly sophisticated tools and is often focused on gaining and keeping long-term […]

Read More

[ZDNet] Health apps ‘playing fast and loose’ with user data, warns FTC chief

All posts, ZDNet

If a health app leaks info, consumers need to know. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.