Microsoft IOC Detection Tool for Exchange Server vulnerabilities



Fortify Security Team



Sep 28, 2024

Microsoft has released the EOMT.ps1 tool that can automate portions of both the detection and patching process and help your organization check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.

In addition, CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities: https://us-cert.cisa.gov/ncas/alerts/aa21-062a. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actors can upload a webshell to enable remote administration of the affected system.

CISA has also added information on ransomware activity associated with exploitation of the Exchange Server products, including DearCry ransomware.

CISA encourages users and administrators to review the following resources for more information.

Microsoft IOC Detection Tool for Exchange Server Vulnerabilities: https://github.com/microsoft/CSS-Exchange/tree/main/Security
Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities: https://us-cert.cisa.gov/ncas/alerts/aa21-062a
MAR-10328877-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072a
MAR-10328923-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072b
MAR-10329107-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072c
MAR-10329297-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072d
MAR-10329298-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072e
MAR-10329301-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072f
MAR-10329494-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072g
CISA’s Remediating Microsoft Exchange Vulnerabilities web page: https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities
CISA’s Ransomware Guidance and Resources web page: https://www.cisa.gov/ransomware

← Prev

Next →

Increased Truebot Activity Infects U.S. and Canada Based Networks

Sep 28, 2024 | Actively Exploited, Cyberthreat Research, Security Advisories

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this joint Cybersecurity Advisory...

Maui Ransomware – Technical Details

Sep 28, 2024 | Cyberthreat Research, Security Advisories

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at Healthcare and Public Health (HPH) Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for...

MedusaLocker Ransomware Technical Details

Sep 28, 2024 | Cyberthreat Research

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every...

Karakurt Data Extortion Group

Sep 28, 2024 | Cyberthreat Research, Security Advisories

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide...

CVE-2022-30190 aka Follina

Move over log4j, there is a new 0-day vulnerability being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Successful exploitation allows an attacker to run arbitrary code with the privileges of the...

AppleJeus: Analysis of North Korea’s Cryptocurrency Malware

Summary This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. This joint advisory is the result of analytic efforts among...

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

« Older Entries