Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
released on 2021-07-21 @ 01:39:32 PM
During a threat hunting engagement in April 2021, incident responders identified web shells on multiple hosts in a customer’s environment, as well as other evidence of post-exploitation activity. Subsequent analysis revealed a previous compromise of SharePoint servers within the environment, as well as ongoing activity initially facilitated by the compromise of on-premises Exchange servers. Analysis indicates that the two sets of activity were unrelated and were conducted by different threat groups.