Skip to the content.

DIVD-2022-00032 - Exchange backdoor

Our reference DIVD-2022-00032
Case lead Victor Pasman
Researcher(s)
Products
  • Microsoft Exchange Servers
Recommendation Verify if the backdoor is installed on your Exchange Server.
Status Open
Last modified 18 Sep 2022 18:32

Summary

On 2 June 2022, Eye Security published a blogpost about a identified backdoor on earlier with ProxyLogon breached Server. The backdoor was found by their SOC after an alert of blocked Powershell execution on a Exchange Server. The backdoor was probably installed during or after the initial compromise via proxylogon or proxy shell and makes use of the WinRS service on the server to give a malicous actor with credentials remote access to the server.

What you can do

Install the Microsoft Exchange patches. Verify if the backdoor is available on your Microsoft Exchange server by using the following Powershell command: winrs -r:https://yourexchangeserverurl/wsman whoami

If you receive the following error: “Winrs error: Access is denied.” Then is your system probably has a backdoor installed by an malicious actor.

What we are doing

We are currently working to identify the backdoors on Exchange Servers that are accessible from the internet and warn owners.

Timeline

Date Description
02 Jun 2022 Eye Security publishes their blog about a identified backdoor on a Exchange Server
03 Jun 2022 DIVD Starts scanning for infected hosts
06 Jun 2022 First version of this case file
06 Jun 2022 First round of notifications sent
21 Jun 2022 Second round of notifications sent
18 Sep 2022 Third round of notifications sent
gantt title DIVD-2022-00032 - Exchange backdoor dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00032 - Exchange backdoor (still open) :2022-06-03, 2022-10-04 section Events Eye Security publishes their blog about a identified backdoor on a Exchange Server : milestone, 2022-06-02, 0d DIVD Starts scanning for infected hosts : milestone, 2022-06-03, 0d First version of this case file : milestone, 2022-06-06, 0d First round of notifications sent : milestone, 2022-06-06, 0d Second round of notifications sent : milestone, 2022-06-21, 0d Third round of notifications sent : milestone, 2022-09-18, 0d

More information