{ "id": "6319e78c-ffc9-42dd-9f25-759afe029e82", "created_at": "2026-04-06T00:06:25.66807Z", "updated_at": "2026-04-10T03:21:47.468901Z", "deleted_at": null, "sha1_hash": "d899268049fbc22e505dd8e13d740cb4c4275393", "title": "Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2 - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 873111, "plain_text": "Insights into Ransomware Spread Using Exchange 1-Day\r\nVulnerabilities 1-2 - NSFOCUS, Inc., a global network and cyber\r\nsecurity leader, protects enterprises and carriers from advanced\r\ncyber attacks.\r\nBy Jie Ji\r\nPublished: 2021-09-26 · Archived: 2026-04-05 18:08:46 UTC\r\nEvent Overview\r\nRecently, NSFOCUS CERT discovered a slew of security incidents that exploited security vulnerabilities\r\n(ProxyShell) in Microsoft Exchange. Also, NSFOCUS found that the new LockFile ransomware group LockFile\r\ntook advantage of these ProxyShell and PetitPotam vulnerabilities to target enterprise domain environments,\r\nfinally encrypting quite a few hosts from enterprises for ransom.\r\nIn April, a security researcher reported multiple Exchange Server vulnerabilities to Microsoft, three of which were\r\nfixed in Microsoft’s April and May security updates and two were disclosed until the release of July security\r\nupdates. Vulnerability details are as follows:\r\nMicrosoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473): This vulnerability arises\r\ndue to the lack of proper validation of access privileges for URIs. An unauthenticated attacker could leverage this\r\nissue to access restricted internal APIs via a known API.\r\nOfficial security bulletin: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473\r\nMicrosoft Exchange Privilege Escalation Vulnerability (CVE-2021-34523): As Microsoft Exchange Server does\r\nnot properly validate an access token before executing the Exchange PowerShell command, an attacker could\r\nexecute arbitrary code in the restricted environment via a crafted identity.\r\nOfficial security bulletin: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523\r\nMicrosoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207): Certain Microsoft\r\nExchange PowerShell command APIs do not restrict the file path and suffix when writing files, allowing attackers\r\nto write arbitrary files.\r\nOfficial security bulletin: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207\r\nWindows LSA Spoofing Vulnerability (CVE-2021-36942): An attacker could exploit EFSRPC (Encrypting File\r\nSystem Remote Protocol) to launch an NTLM relay attack dubbed PetitPotam, to escalate their system privileges.\r\nOfficial security bulletin: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\r\nhttps://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/\r\nPage 1 of 9\n\nCurrently, exploits of the preceding vulnerabilities have been made publicly available and weaponized. Attackers\r\ncould exploit a combination of these vulnerabilities to cause remote code execution on an affected Exchange\r\nserver to gain the highest system privileges of the target host. Recently, attack activities rage on, and affected users\r\nshould take precautions as soon as possible.\r\nTimeline\r\nApril, 2021: A security researcher reported multiple Microsoft Exchange Server vulnerabilities to Microsoft.\r\nApril–May, 2021: Microsoft released security updates to fix ProxyShell vulnerabilities.\r\nJuly 14, 2021: Microsoft’s July security updates feature security bulletins for CVE-2021-34473 and CVE-2021-\r\n31207 vulnerabilities.\r\nJuly 19, 2021: A French researcher found a vulnerability (PetitPotam) that could lead to a relay attack through the\r\nexploitation of EFSRPC in Windows systems and released PoC code.\r\nJuly 24, 2021: Microsoft released the security bulletin ADV210003 to warn of an NTLM relay attack (no patch\r\navailable) due to the lack of the Active Directory Certificate Service (AD CS).\r\nAugust 6, 2021: A Taiwan security researcher announced Exchange vulnerability details at BlackHat USA 2021\r\nand dubbed the vulnerabilities ProxyShell.\r\nAugust 11, 2021: Microsoft’s August security updates feature patches to fix the NTLM relay attack vulnerability\r\n(PetitPotam) assigned CVE-2021-36942.\r\nAugust 20, 2021: The exploit of ProxyShell vulnerabilities was made publicly available on multiple platforms like\r\nGitHub and Reddit. Also, the exploit of these vulnerabilities was also updated in the well-known Metasploit\r\nframework.\r\nAugust 23, 2021: Hacking groups behind viruses, like the ransomware LockFile, exploited ProxyShell and\r\nPetitPotam vulnerabilities to launch attacks in the wild at frequent intervals. August 25, 2021: Microsoft’s\r\nExchange team posted a security warning on the blog to urge users to apply related patches to fix vulnerabilities as\r\nsoon as possible.\r\nhttps://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/\r\nPage 2 of 9\n\nAnalysis of the Kill Chain of the LockFile Ransomware Group\r\nWebShell Planted in ProxyShell\r\nMicrosoft Exchange Server’s improper path verification, coupled with path obfuscation, could lead to SSRF. In\r\nthis way, attackers could access PowerShell endpoints and pack malicious email information into external files\r\nthrough a remote PowerShell session. By writing such information to files, attackers could cause getshell. By\r\ndefault, WebShell is written to C:\\inetpub\\wwwroot\\aspnet_client\\.\r\nFirst, Microsoft Exchange Server lacks proper verification of a PowerShell endpoint’s\r\n/Autodiscover/Autodiscover.json path requested by the Autodiscover backend. By triggering the URL request\r\nformatting of the ExplicitLogon function, an attacker could exploit this issue to directly access arbitrary restricted\r\nbackend APIs via a combination of a crafted URL and cookies. The CVE-2021-34473 vulnerability is exploited\r\nduring the process. The vulnerable core code is as follows:\r\nFinally, the following malicious request is crafted:\r\nhttps://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/\r\nPage 3 of 9\n\nVia a malicious URL, the attacker could obtain LDAP DN information of an account with desired privileges and\r\nthen locate the system storage of the victim account.\r\nAfter obtaining the storage position of the victim account, the attacker further exploits this SSRF vulnerability to\r\ninvoke the EMSMDB email transmission interface of Exchange MAPI. As Exchange’s web application runs with\r\nSYSTEM privileges, MAPI is invoked with SYSTEM privileges, instead of privileges of the victim account. In\r\nthis case, an error is reported to indicate that the attacker uses different privileges before and after MAPI\r\ninvocation. Besides, the victim account SID is disclosed in this error message.\r\nA malicious request is as follows:\r\nError information is as follows:\r\nhttps://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/\r\nPage 4 of 9\n\nThe attacker could use both the SID of the victim account and the fixed SID of a privilege group on Windows to\r\ncraft a session token for Windows authentication. This token is supposed to be crafted by the frontend reverse\r\nproxy server and transmitted to the backend via an HTTP request header. Due to improper verification, if the\r\nHTTP header for sending the token does not exist, the attacker could try to parse the URL parameter and\r\nmanipulate the URL during SSRF to obtain the Exchange Remote PowerShell Management Session privilege on\r\nthe Exchange server. The vulnerability exploited in the process is CVE-2021-34523. The core vulnerable code is\r\nas follows:\r\nAfter the Exchange Remote PowerShell Management Session privilege is obtained, commands other than\r\nExchange PowerShell Cmdlet cannot be executed because this session belongs to a restricted PowerShell\r\nenvironment. The FilePath parameter, which specifies the path to save the file exported via the New-MailboxExportRequest command (for export backup of the individual mailbox), has no restriction on the file path,\r\nfile name, and file extension name. This allows attackers to write arbitrary files. During the process, the\r\nvulnerability CVE-2021-31207 is used. The used shell command is as follows:\r\nBy exploiting the preceding SSRF vulnerability, the attacker invokes the corresponding Exchange API endpoint to\r\nstore the encrypted WebShell file that contains malicious code in the Drafts folder in the victim’s mailbox or send\r\nthe file to the victim’s mailbox. This ensures that WebShell information can be restored during secondary\r\nencryption of the WebShell file that is exported from the victim’s mailbox for backup. In this way, the attacker can\r\nwrite WebShell. WebShell information is encrypted with permutative encoding that Microsoft uses to encrypt PST\r\nfiles, to make sure that characters can be encrypted and decrypted after being parsed by a replacement algorithm.\r\nhttps://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/\r\nPage 5 of 9\n\nMost of the captured samples are the following encrypted one-line backdoor:\r\nCobalt Strike Planted Through DLL Hijacking\r\nThe attacker executes the wget command in PowerShell to download attack toolkits for subsequent use and\r\nfrequently changes server ports and uses random file names (like http://x.x.x.x:45261/5rFxNBwH6ol0Q9z1sAaIZ)\r\nto prevent samples from being captured by researchers. Currently, server IP addresses known to be used by\r\nattackers include 209.14.0.234, 45.91.83.176, 183.226.73.185, and 178.63.226.197. The attacker first uses\r\nEfsPotato.exe in the toolkit for local privilege escalation, and then runs the Cobalt Strike loader\r\nactive_desktop_launcher.exe with highest system privileges. The privilege escalation tool EfsPotato exploits the\r\nhttps://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/\r\nPage 6 of 9\n\nCVE-2021-36942 vulnerability which is also known as PetitPotam. The attacker leverages EFSRPC to launch\r\nNTLM relay attacks to escalate local privileges or privileges in the AD domain.\r\nactive_desktop_launcher is the legitimate KuGou launcher which provides valid digital signatures to load\r\nactive_desktop_render.dll for malicious code execution.\r\nThe launcher invokes two functions, SetDesktopMonitorHook and ClearDesktopMonitorHook, both of which\r\nreside in active_desktop_render.dll. SetDesktopMonitorHook performs the following steps:\r\n1. Try to open desktop.ini in the current directory. If this file does not exist, exit the program.\r\n2. Create a new thread, open desktop.ini in this thread, and map the file to the memory.\r\nhttps://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/\r\nPage 7 of 9\n\n3. Read file contents through memory mapping, perform XOR decryption on file contents, and execute them as\r\nshellcode.\r\nClearDesktopMonitorHook reads files for string comparison and exits the process, without providing other actual\r\nfunctions. The C\u0026C address of the Cobalt Strike trojan in the captured sample is\r\nsc.microsofts.net/messages/DALBNSf26.\r\nGroup Policy in the AD Domain for Bulk Script Dispatch\r\nThe attacker copies the ransomware-related tool to the NETLOGON shared directory on the domain controller.\r\nThe absolute path of the directory is C:\\Windows\\Sysvol\\Sysvol\\[DomainName]\\Scripts so that hosts in the\r\ndomain can access related tools via the UNC path \\\\server\\netlogon. Create a group policy object (GPO) for script\r\nexecution in the Group Policy Management window on the domain controller, and then link it and dispatch it to\r\nhosts in the domain.\r\nAnalyzing the captured script file autologin.bat, we find that the attacker first copies the ransomware file\r\nautoupdate.exe in the NETLOGON shared directory and KDU kernel program tools (including autologin.exe,\r\nautologin.dll, and autologin.sys) to the local directory C:\\Windows\\Temp. Then, the attacker uses the KDU tool to\r\nobtain system kernel privileges to terminate the antivirus process before finally executing the ransomware file.\r\nhttps://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/\r\nPage 8 of 9\n\nTo be continued.\r\nSource: https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/\r\nhttps://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/\r\nPage 9 of 9\n\nfrequently changes to prevent samples server from being ports and uses random captured by file names researchers. Currently, (like http://x.x.x.x:45261/5rFxNBwH6ol0Q9z1sAaIZ) server IP addresses known to be used by\nattackers include 209.14.0.234, 45.91.83.176, 183.226.73.185, and 178.63.226.197. The attacker first uses\nEfsPotato.exe in the toolkit for local privilege escalation, and then runs the Cobalt Strike loader \nactive_desktop_launcher.exe with highest system privileges. The privilege escalation tool EfsPotato exploits the\n Page 6 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/" ], "report_names": [ "insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433985, "ts_updated_at": 1775791307, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d899268049fbc22e505dd8e13d740cb4c4275393.pdf", "text": "https://archive.orkl.eu/d899268049fbc22e505dd8e13d740cb4c4275393.txt", "img": "https://archive.orkl.eu/d899268049fbc22e505dd8e13d740cb4c4275393.jpg" } }