{
	"id": "a89b3417-8de6-4d50-9049-9daad541bea5",
	"created_at": "2026-04-06T00:06:27.827811Z",
	"updated_at": "2026-04-10T03:35:48.564742Z",
	"deleted_at": null,
	"sha1_hash": "58d583f8c12de665006b69000fd3e31c9b89e361",
	"title": "Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 782892,
	"plain_text": "Detection and Response to Exploitation of Microsoft Exchange\r\nZero-Day Vulnerabilities | Mandiant\r\nBy Mandiant\r\nPublished: 2021-03-04 · Archived: 2026-04-02 11:55:19 UTC\r\nWritten by: Matt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace\r\nBeginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft\r\nExchange Server within at least one client environment. The observed activity included creation of web shells for\r\npersistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation\r\nrevealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\\SYSTEM, a\r\nprivileged local account on the Windows operating system. Furthermore, the process that created the web shell\r\nwas UMWorkerProcess.exe, the process responsible for Exchange Server’s Unified Messaging Service. In\r\nsubsequent investigations, we observed malicious files created by w3wp.exe, the process responsible for the\r\nExchange Server web front-end.\r\nIn response to this activity, we built threat hunting campaigns designed to identify additional Exchange Server\r\nabuse. We also utilized this data to build higher-fidelity detections of web server process chains. On March 2,\r\n2021, Microsoft released a blog post that detailed multiple zero-day vulnerabilities used to attack on-premises\r\nversions of Microsoft Exchange Server. Microsoft also issued emergency Exchange Server updates for the\r\nfollowing vulnerabilities:\r\nCVE Risk Rating Access Vector Exploitability Ease of Attack Mandiant Intel\r\nCVE-2021-26855 Critical Network Functional Easy Link\r\nCVE-2021-26857 Medium Network Functional Easy Link\r\nCVE-2021-26858 Medium Network Functional Easy Link\r\nCVE-2021-27065 Medium Network Functional Easy Link\r\nTable 1: List of March 2021 Microsoft Exchange CVEs and FireEye Intel Summaries\r\nThe activity reported by Microsoft aligns with our observations. FireEye currently tracks this activity in three\r\nclusters, UNC2639, UNC2640, and UNC2643. We anticipate additional clusters as we respond to intrusions.\r\nWe recommend following Microsoft’s guidance and patching Exchange Server immediately to mitigate this\r\nactivity.\r\nBased on our telemetry, we have identified an array of affected victims including US-based retailers, local\r\ngovernments, a university, and an engineering firm. Related activity may also include a Southeast Asian\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\r\nPage 1 of 7\n\ngovernment and Central Asian telecom. Microsoft reported the exploitation occurred together and is linked to a\r\nsingle group of actors tracked as “HAFNIUM”, a group that has previously targeted the US-based defense\r\ncompanies, law firms, infectious disease researchers, and think tanks.\r\nIn this blog post, we will detail our observations on the active investigations we are currently performing. As our\r\nexperience with and knowledge of this threat actor grows, we will update this post or release new technical details\r\nas appropriate. For our Managed Defense Customers, we have launched a Community Protection Event that will\r\nprovide frequent updates on this threat actor and activity.\r\nWe will be discussing these attacks more in an upcoming webinar on Mar. 17, 2021.\r\nFrom Exploit to Web Shell\r\nBeginning in January 2021, Mandiant Managed Defense observed the creation of web shells on one Microsoft\r\nExchange server file system within a customer’s environment. The web shell, named help.aspx (MD5:\r\n4b3039cf227c611c45d2242d1228a121), contained code to identify the presence of (1) FireEye xAgent, (2)\r\nCarbonBlack, or (3) CrowdStrike Falcon endpoint products and write the output of discovery. Figure 1 provides a\r\nsnippet of the web shell’s code.\r\nFigure 1: Snippet of the web shell help.aspx, crafted to identify the presence of endpoint security software on a\r\nvictim system\r\nThe web shell was written to the system by the UMWorkerProcess.exe process, which is associated with\r\nMicrosoft Exchange Server’s Unified Messaging service. This activity suggested exploitation of CVE-2021-\r\n26858.\r\nApproximately twenty days later, the attacker placed another web shell on a separate Microsoft Exchange Server.\r\nThis second, partially obfuscated web shell, named iisstart.aspx (MD5: 0fd9bffa49c76ee12e51e3b8ae0609ac),\r\nwas more advanced and contained functions to interact with the file system. As seen in Figure 2, the web shell\r\nincluded the ability to run arbitrary commands and upload, delete, and view the contents of files.\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\r\nPage 2 of 7\n\nFigure 2: Snippet of iisstart.aspx, uploaded by the attacker in late January 2021\r\nWhile the use of web shells is common amongst threat actors, the parent processes, timing, and victim(s) of these\r\nfiles clearly indicate activity that commenced with the abuse of Microsoft Exchange.\r\nIn March 2021, in a separate environment, we observed a threat actor utilize one or more vulnerabilities to place at\r\nleast one web shell on the vulnerable Exchange Server. This was likely to establish both persistence and secondary\r\naccess, as in other environments. In this case, Mandiant observed the process w3wp.exe, (the IIS process\r\nassociated with the Exchange web front-end) spawning cmd.exe to write a file to disk. The file, depicted in Figure\r\n3, matches signatures for the tried-and-true China Chopper.\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\r\nPage 3 of 7\n\nFigure 3: Snippet of China Chopper web shell found on a compromised Exchange Server system\r\nWe observed that in at least two cases, the threat actors subsequently issued the following command against the\r\nExchange web server:\r\nnet group \"Exchange Organization administrators\" administrator /del /domain.\r\nThis command attempts to delete the administrator user from the Exchange Organizations administrators group,\r\nbeginning with the Domain Controller in the current domain. If the system is in a single-system domain, it will\r\nexecute on the local computer.\r\nPer Microsoft’s blog, they have identified additional post-exploitation activities, including:\r\nCredential theft via dumping of LSASS process memory.\r\nCompression of data for exfiltration via 7-Zip.\r\nUse of Exchange PowerShell Snap-ins to export mailbox data.\r\nUse of additional offensive security tools Covenant, Nishang, and PowerCat for remote access.\r\nThe activity we have observed, coupled with others in the information security industry, indicate that these threat\r\nactors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is\r\nfollowed quickly by additional access and persistent mechanisms. As previously stated, we have multiple ongoing\r\ncases and will continue to provide insight as we respond to intrusions.\r\nInvestigation Tips\r\nWe recommend checking the following for potential evidence of compromise:\r\nChild processes of C:\\Windows\\System32\\inetsrv\\w3wp.exe on Exchange Servers, particularly cmd.exe.\r\nFiles written to the system by w3wp.exe or UMWorkerProcess.exe.\r\nASPX files owned by the SYSTEM user\r\nNew, unexpected compiled ASPX files in the Temporary ASP.NET Files directory\r\nReconnaissance, vulnerability-testing requests to the following resources from an external IP address:\r\n/rpc/ directory\r\n/ecp/DDI/DDIService.svc/SetObject\r\nNon-existent resources\r\nWith suspicious or spoofed HTTP User-Agents\r\nUnexpected or suspicious Exchange PowerShell SnapIn requests to export mailboxes\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\r\nPage 4 of 7\n\nIn our investigations to date, the web shells placed on Exchange Servers have been named differently in each\r\nintrusion, and thus the file name alone is not a high-fidelity indicator of compromise.\r\nIf you believe your Exchange Server was compromised, we recommend investigating to determine the scope of\r\nthe attack and dwell time of the threat actor.\r\nFurthermore, as system and web server logs may have time or size limits enforced, we recommend preserving the\r\nfollowing artifacts for forensic analysis:\r\nAt least 14 days of HTTP web logs from the inetpub\\Logs\\LogFiles directories (include logs from all\r\nsubdirectories)\r\nThe contents of the Exchange Web Server (also found within the inetpub folder)\r\nAt least 14 days of Exchange Control Panel (ECP) logs, located in Program Files\\Microsoft\\Exchange\r\nServer\\v15\\Logging\\ECP\\Server\r\nMicrosoft Windows event logs\r\nWe have found significant hunting and analysis value in these log folders, especially for suspicious CMD\r\nparameters in the ECP Server logs. We will continue updating technical details as we observe more related\r\nactivity.\r\nTechnical Indicators\r\nThe following are technical indicators we have observed, organized by the threat groups we currently associate\r\nwith this activity. To increase investigation transparency, we are including a Last Known True, or LKT, value for\r\nnetwork indicators. The LKT timestamp indicates the last time Mandiant knew the indicator was associated with\r\nthe adversary; however, as with all ongoing intrusions, a reasonable time window should be considered.\r\nUNC2639\r\nIndicator Type Note\r\n165.232.154.116 Network: IP Address Last known true: 2021/03/02 02:43\r\n182.18.152.105 Network: IP Address Last known true: 2021/03/03 16:16\r\nUNC2640\r\nIndicator Type MD5\r\nhelp.aspx File: Web shell 4b3039cf227c611c45d2242d1228a121\r\niisstart.aspx File: Web shell 0fd9bffa49c76ee12e51e3b8ae0609ac\r\nUNC2643\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\r\nPage 5 of 7\n\nIndicator Type MD5/Note\r\nCobalt Strike BEACON File: Shellcode 79eb217578bed4c250803bd573b10151\r\n89.34.111.11 Network: IP Address Last known true: 2021/03/03 21:06\r\n86.105.18.116 Network: IP Address Last known true: 2021/03/03 21:39\r\nDetecting the Techniques\r\nFireEye detects this activity across our platforms. The following contains specific detection names that provide an\r\nindicator of Exchange Server exploitation or post-exploitation activities we associated with these threat actors.\r\nPlatform(s) Detection Name\r\nNetwork Security\r\nEmail Security\r\nDetection On Demand\r\nMalware File\r\nScanning\r\nMalware File Storage\r\nScanning\r\nFEC_Trojan_ASPX_Generic_2\r\nFE_Webshell_ASPX_Generic_33\r\nFEC_APT_Webshell_ASPX_HEARTSHELL_1\r\nExploit.CVE-2021-26855\r\nEndpoint Security\r\nReal-Time (IOC)\r\nSUSPICIOUS CODE EXECUTION FROM EXCHANGE SERVER\r\n(EXPLOIT)\r\nASPXSPY WEBSHELL CREATION A (BACKDOOR)\r\nPROCDUMP ON LSASS.EXE (METHODOLOGY)\r\nTASKMGR PROCESS DUMP OF LSASS.EXE A\r\n(METHODOLOGY)\r\nNISHANG POWERSHELL TCP ONE LINER (BACKDOOR)\r\nSUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\r\nPOWERSHELL DOWNLOADER (METHODOLOGY)\r\nMalware Protection (AV/MG)\r\nTrojan.Agent.Hafnium.A\r\nModule Coverage\r\n[Process Guard] - prevents dumping of LSASS memory using the\r\nprocdump utility.\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\r\nPage 6 of 7\n\nHelix\r\nWINDOWS METHODOLOGY [Unusual Web Server Child Process]\r\nMICROSOFT EXCHANGE [Authentication Bypass (CVE-2021-\r\n26855)]\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilit\r\nies.html\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html"
	],
	"report_names": [
		"detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433987,
	"ts_updated_at": 1775792148,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58d583f8c12de665006b69000fd3e31c9b89e361.pdf",
		"text": "https://archive.orkl.eu/58d583f8c12de665006b69000fd3e31c9b89e361.txt",
		"img": "https://archive.orkl.eu/58d583f8c12de665006b69000fd3e31c9b89e361.jpg"
	}
}