DIVD-2022-00032 - Exchange backdoor
| Our reference | DIVD-2022-00032 |
| Case lead | Victor Pasman |
| Researcher(s) | |
| Products |
|
| Recommendation | Verify if the backdoor is installed on your Exchange Server. |
| Status | Closed |
| Last modified | 31 May 2023 20:42 CEST |
Summary
On 2 June 2022, Eye Security published a blogpost about a identified backdoor on earlier with ProxyLogon breached Server. The backdoor was found by their SOC after an alert of blocked Powershell execution on a Exchange Server. The backdoor was probably installed during or after the initial compromise via proxylogon or proxy shell and makes use of the WinRS service on the server to give a malicous actor with credentials remote access to the server.
What you can do
Install the Microsoft Exchange patches. Verify if the backdoor is available on your Microsoft Exchange server by using the following Powershell command: winrs -r:https://yourexchangeserverurl/wsman whoami
If you receive the following error: “Winrs error: Access is denied.” Then is your system probably has a backdoor installed by an malicious actor.
What we are doing
We are currently working to identify the backdoors on Exchange Servers that are accessible from the internet and warn owners.
Timeline
| Date | Description |
|---|---|
| 02 Jun 2022 | Eye Security publishes their blog about a identified backdoor on a Exchange Server |
| 03 Jun 2022 | DIVD Starts scanning for infected hosts |
| 06 Jun 2022 | First version of this case file |
| 06 Jun 2022 | First round of notifications sent |
| 21 Jun 2022 | Second round of notifications sent |
| 18 Sep 2022 | Third round of notifications sent |
| 22 Nov 2022 | Case closed. |