Italy Report: Microsoft Exchange

April 14, 2021 · frtg · 2 min read

In March, Microsoft released a security bulletin for Microsoft Exchange patch deployment. The urgency of the patch was driven by evidence that the criminal group Hafnium was exploiting certain vulnerabilities to compromise servers across multiple organizations worldwide (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

During this period, new vulnerabilities in the Microsoft Exchange product were identified that would allow attackers to gain unauthorized access to these systems without knowledge of usernames and passwords.

Interactive Map

Compromised Systems
- as of 29 March: 346
- as of 10 April: 245
Systems with two or more backdoors:
- as of 29 March: 106
- as of 10 April: 72
Exchange systems in Italy: 8 394;
vulnerable systems:
- 1 477 on 29 March (17% of total);
- 1 100 on 10 April (13% of total);

Backdoors Installed on Italian Servers

Between 29 March and 10 April, a clear reduction in the number of backdoors installed on compromised Italian systems is evident.

This is linked to patch deployment activities and concurrent backdoor removal. We emphasize that patch application alone is insufficient for effective removal of malicious code.

The backdoor supp0rt.aspx shows the largest decline and is the most prevalent in Italian systems. Initial compromises related to this backdoor date back to 5 March 2021.

Web Shell Status Codes

Interactive Image

Web Shell Paths

Interactive Image

Vulnerable Systems Assessment

Vulnerable systems in Italy. Differences observed over two weeks.

Our team’s monitoring and analysis activities identified approximately 8 000 Microsoft Exchange systems in Italy. 1 477 were found to be vulnerable as of 29 March 2021.

Follow-up assessment on 10 April identified 377 patched systems. 1 100 systems remained vulnerable. Through Cyber Threat Intelligence monitoring, we tracked the remediation pace across Italian infrastructure.

Cities by number of vulnerable systems:

Vulnerable systems by ISP (Internet Service Provider):

The Microsoft Exchange vulnerability campaign demonstrates the critical importance of rapid patch deployment combined with forensic validation. Patch application must be accompanied by comprehensive backdoor detection and removal procedures, as initial compromise vectors may persist through web shells deployed prior to patching. Organizations operating unpatched Exchange infrastructure remain exposed to T1190 (Exploit Public-Facing Application) and T1505.003 (Web Shell) attack chains, with TA0010 (Exfiltration) as the likely operational objective.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Backdoors Installed on Italian Servers

Web Shell Status Codes

Web Shell Paths

Vulnerable Systems Assessment

Vulnerable systems in Italy. Differences observed over two weeks.

Cookie & Privacy