Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Scanning for Microsoft Exchange eDiscovery SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scanning for Microsoft Exchange eDiscovery

Scanning for Microsoft Exchange eDiscovery

In the past week, I have notice more scans looking for the following Exchange URL over port 443: /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application

What I have also noticed, all these scans for this URL are all from the same subnet (AS14061) DIGITALOCEAN-192-241-128-0.

This activity is likely linked to April Patch Tuesday (CVE-2021-28481) where "Also of significant note are the Microsoft Exchange Server Remote Code Execution vulnerabilities across versions 2013 - 2019. No known exploits are being reported however the CVSS score sits at 9.8, tread carefully. With a Critical rating, and a high CVSS score, those patches are worth reviewing in depth."[1]

Based on this graph, these scans started almost immediately (17 April 2021) after April patch Tuesday and are still ongoing today.

Sample Log

20210812-170532: 192.168.25.9:443-192.241.216.240:48302 data
GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1
Host: XX.XX.28.221
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip

Indicators of Compromise

192.241.128.0/17 → AS14061

Have you noticed an increase in scans for this URL?

[1] https://isc.sans.edu/forums/diary/Microsoft+April+2021+Patch+Tuesday/27306
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28481
[3] https://isc.sans.edu/forums/diary/Microsoft+Releases+Exchange+Emergency+Patch+to+Fix+Actively+Exploited+Vulnerability/27164

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

506 Posts
ISC Handler
Aug 14th 2021
While I have not noticed scans for that URL I have noticed an increase in the amount of scanning from Digital Ocean. When I do a whois look up for the IP on this site I generally see the message highlighted in green that this is for research purposes only.

I reached-out to Digital Ocean to request they exclude our IP block but that did not seem to reduce these scans.
PW

65 Posts
While I have not noticed scans for that URL I have noticed an increase in the amount of scanning from Digital Ocean. When I do a whois look up for the IP on this site I generally see the message highlighted in green that this is for research purposes only.

I reached-out to Digital Ocean to request they exclude our IP block but that did not seem to reduce these scans.
PW

65 Posts

Sign Up for Free or Log In to start participating in the conversation!