Scanning for Microsoft Exchange eDiscovery In the past week, I have notice more scans looking for the following Exchange URL over port 443: /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application What I have also noticed, all these scans for this URL are all from the same subnet (AS14061) DIGITALOCEAN-192-241-128-0. This activity is likely linked to April Patch Tuesday (CVE-2021-28481) where "Also of significant note are the Microsoft Exchange Server Remote Code Execution vulnerabilities across versions 2013 - 2019. No known exploits are being reported however the CVSS score sits at 9.8, tread carefully. With a Critical rating, and a high CVSS score, those patches are worth reviewing in depth."[1] Based on this graph, these scans started almost immediately (17 April 2021) after April patch Tuesday and are still ongoing today. Sample Log 20210812-170532: 192.168.25.9:443-192.241.216.240:48302 data Indicators of Compromise 192.241.128.0/17 → AS14061 Have you noticed an increase in scans for this URL? [1] https://isc.sans.edu/forums/diary/Microsoft+April+2021+Patch+Tuesday/27306 ----------- |
Guy 523 Posts ISC Handler Aug 14th 2021 |
Thread locked Subscribe |
Aug 14th 2021 10 months ago |
While I have not noticed scans for that URL I have noticed an increase in the amount of scanning from Digital Ocean. When I do a whois look up for the IP on this site I generally see the message highlighted in green that this is for research purposes only.
I reached-out to Digital Ocean to request they exclude our IP block but that did not seem to reduce these scans. |
PW 69 Posts |
Quote |
Aug 16th 2021 10 months ago |
While I have not noticed scans for that URL I have noticed an increase in the amount of scanning from Digital Ocean. When I do a whois look up for the IP on this site I generally see the message highlighted in green that this is for research purposes only.
I reached-out to Digital Ocean to request they exclude our IP block but that did not seem to reduce these scans. |
PW 69 Posts |
Quote |
Aug 16th 2021 10 months ago |
Sign Up for Free or Log In to start participating in the conversation!