Hunting in the Field of Cybersecurity: The Microsoft Exchange Fiasco

Earle Maui Earnshaw, Arianne Dela Cruz

Trend Micro Inc.

Abstract:

The discovery of multiple zero-day vulnerabilities in Microsoft Exchange Server early this year enabled threat actors to victimize approximately 30,000 organizations in the US alone, with payloads such as Prometei, LemonDuck, and Blackkingdom reportedly deployed during the height of exploitation.

A big factor in the success of these attacks was a technique that enabled attackers to initiate backdoor communications and payload delivery through undetected webshells. By using a new method of webshell execution through OAB modification, threat actors were able to remain undetected for a period of time. In our research, we delve into this new technique, and its potential impact to different vital industries moving forward.