Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Scanning for Microsoft Exchange eDiscovery

Published: 2021-08-13
Last Updated: 2021-08-14 02:14:07 UTC
by Guy Bruneau (Version: 1)
2 comment(s)

Scanning for Microsoft Exchange eDiscovery

In the past week, I have notice more scans looking for the following Exchange URL over port 443: /ecp/Current/exporttool/

What I have also noticed, all these scans for this URL are all from the same subnet (AS14061) DIGITALOCEAN-192-241-128-0.

This activity is likely linked to April Patch Tuesday (CVE-2021-28481) where "Also of significant note are the Microsoft Exchange Server Remote Code Execution vulnerabilities across versions 2013 - 2019. No known exploits are being reported however the CVSS score sits at 9.8, tread carefully. With a Critical rating, and a high CVSS score, those patches are worth reviewing in depth."[1]

Based on this graph, these scans started almost immediately (17 April 2021) after April patch Tuesday and are still ongoing today.

Sample Log

20210812-170532: data
GET /ecp/Current/exporttool/ HTTP/1.1
Host: XX.XX.28.221
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip

Indicators of Compromise → AS14061

Have you noticed an increase in scans for this URL?


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

2 comment(s)
Diary Archives