CASE: EXCHANGE BACKDOOR (2022)

Written on 28 Nov 2022 by Gerard Janssen

The case

On May 10th 2022, the Security Operation Center of Dutch cybersecurity company Eye Security got an alert about malicious activity on an Exchange server of one of their customers. Researchers of Eye Security found a backdoor that was probably installed months earlier after an initial ProxyLogon or ProxyShell compromise. The backdoor uses the WinRS service on the server to give a malicious actor with credentials remote access to the server.

What we did

On 2 June 2022, Eye Security published a blogpost about their findings. DIVD started scanning the same day. Researchers of DIVD found a way to test if Windows Exchange servers exposed to the internet had a backdoor.

The first scan on June 6th 2022 showed there were 124 exchange servers exposed to the internet that were possibly backdoored. A notification mail was sent to the owners of these systems.

On September 17th there were still 105 servers with a possible backdoor. The system owners were notified, and the case was closed.

Timeline

• 02 Jun 2022: Eye Security publishes their blogpost
• 03 Jun 2022: DIVD Starts scanning for infected hosts
• 06 Jun 2022: First version of this case file
• 06 Jun 2022: First round of notifications sent
• 21 Jun 2022: Second round of notifications sent
• 18 Sep 2022: Third round of notifications sent
• 22 Nov 2022: Case closed.

What you can do

Install the Microsoft Exchange patches. Verify if the backdoor is available on your Microsoft Exchange server by using the following Powershell command: winrs -r:https://yourexchangeserverurl/wsman whoami

More information

• Official Eye.Security Blog
• DIVD-2022-00032