{"id":2030,"date":"2021-04-14T11:19:42","date_gmt":"2021-04-14T09:19:42","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2030"},"modified":"2026-06-08T22:53:31","modified_gmt":"2026-06-08T22:53:31","slug":"italy-report-microsoft-exchange","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/italy-report-microsoft-exchange\/","title":{"rendered":"Italy Report: Microsoft Exchange"},"content":{"rendered":"\n<p style=\"text-align: justify\">In March, Microsoft released a security bulletin for <strong>Microsoft Exchange<\/strong> patch deployment. The urgency of the patch was driven by evidence that the criminal group <strong>Hafnium<\/strong> was exploiting certain vulnerabilities to compromise servers across multiple organizations worldwide (<strong>CVE-2021-26855<\/strong>,&nbsp;<strong>CVE-2021-26857<\/strong>,&nbsp;<strong>CVE-2021-26858<\/strong> and <strong>CVE-2021-27065)<\/strong>.<\/p>\n<p style=\"text-align: justify\">During this period, new vulnerabilities in the Microsoft Exchange product were identified that would allow attackers to gain unauthorized access to these systems without knowledge of usernames and passwords.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div class=\"wp-block-group__inner-container\">\n<div class=\"wp-block-columns\">\n<div class=\"wp-block-column\">\n\n\n\n\n<p style=\"text-align: center\"><strong><em>Interactive Map<\/em><\/strong><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column\">\n<ul>\n<li><strong>Compromised Systems<\/strong><br>\n<ul>\n<li>as of 29 March: <em><strong>346<\/strong><\/em><\/li>\n<li>as of 10 April: <em><strong>245<\/strong><\/em><\/li>\n<\/ul>\n<\/li>\n<li><strong>Systems with two or more backdoors<\/strong>:<br>\n<ul>\n<li>as of 29 March: <em><strong>106<\/strong><\/em><\/li>\n<li>as of 10 April: <em><strong>72<\/strong><\/em><\/li>\n<\/ul>\n<\/li>\n<li>Exchange systems in Italy: <em><strong>8 394<\/strong><\/em>;<\/li>\n<li><strong>vulnerable<\/strong> systems:<br>\n<ul>\n<li><em><strong>1 477<\/strong> <\/em>on 29 March (17% of total);<\/li>\n<li><em><strong>1 100<\/strong> <\/em>on 10 April (13% of total);<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n<\/div><\/div>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\" id=\"h-le-backdoor-installate-nei-server-italiani\"><strong>Backdoors<\/strong> Installed on Italian Servers<\/h2>\n\n\n\n<div class=\"wp-block-media-text alignwide\" style=\"margin-left: -94.4px;margin-right: -94.4px\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/01\/stackbar.webp\" alt=\"\" class=\"wp-image-2001\" loading=\"lazy\"><\/figure><div class=\"wp-block-media-text__content\">\n<p style=\"text-align: justify\">Between <strong>29 March<\/strong> and <strong>10 April<\/strong>, a clear reduction in the number of <em>backdoors<\/em> installed on compromised Italian systems is evident.<\/p>\n<p style=\"text-align: justify\">This is linked to patch deployment activities and concurrent backdoor removal. We emphasize that patch application alone is insufficient for effective removal of malicious code.<\/p>\n<p style=\"text-align: justify\">The backdoor <strong>supp0rt.aspx<\/strong> shows the largest decline and is the most prevalent in Italian systems. Initial compromises related to this <em>backdoor<\/em> date back to <strong>5 March 2021<\/strong>.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-columns alignwide is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"has-text-align-center wp-block-heading\" id=\"h-lo-status-code-delle-webshell\"><br>Web Shell <em>Status Codes<\/em><\/h3>\n\n\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Interactive Image<\/em><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"has-text-align-center wp-block-heading\" id=\"h-i-percorsi-delle-webshell\"><br>Web Shell Paths<\/h3>\n\n\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em> Interactive Image<\/em><\/p>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\" id=\"h-resoconto-dei-sistemi-vulnerabili\">Vulnerable Systems Assessment<\/h2>\n\n\n\n<div class=\"wp-block-media-text alignwide\" style=\"margin-left: -94.4px;margin-right: -94.4px\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/01\/QuantiVulnerabili.webp\" alt=\"\" class=\"wp-image-1969\" loading=\"lazy\"><\/figure><div class=\"wp-block-media-text__content\">\n<h4>Vulnerable systems in Italy. Differences observed over two weeks.<\/h4>\n\n\n\n<p class=\"wp-block-verse \" style=\"text-align: justify\">Our team&#8217;s monitoring and analysis activities identified approximately <strong>8 000<\/strong> Microsoft Exchange systems in Italy. 1 477 were found to be vulnerable as of <strong>29 March 2021<\/strong>.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-media-text alignwide has-media-on-the-right\" style=\"margin-left: -94.4px;margin-right: -94.4px\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/01\/QuantiAncoraVulnerabili.webp\" alt=\"\" class=\"wp-image-1970\" loading=\"lazy\"><\/figure><div class=\"wp-block-media-text__content\">\n<p style=\"text-align: justify\">Follow-up assessment on <strong>10 April<\/strong> identified <strong>377 patched systems<\/strong>. <strong>1 100<\/strong> systems remained vulnerable. Through <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> monitoring, we tracked the remediation pace across Italian infrastructure.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-columns alignfull is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"has-text-align-center wp-block-paragraph\"><strong>Cities by number of vulnerable systems:<\/strong><\/p>\n\n\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"has-text-align-center wp-block-paragraph\"><strong>Vulnerable systems by ISP (Internet Service Provider):<\/strong><\/p>\n\n\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\" style=\"text-align: justify\">The Microsoft Exchange vulnerability campaign demonstrates the critical importance of rapid patch deployment combined with forensic validation. Patch application must be accompanied by comprehensive backdoor detection and removal procedures, as initial compromise vectors may persist through web shells deployed prior to patching. Organizations operating unpatched Exchange infrastructure remain exposed to T1190 (Exploit Public-Facing Application) and T1505.003 (Web Shell) attack chains, with TA0010 (Exfiltration) as the likely operational objective.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Country-level snapshot of Microsoft Exchange compromise across Italian organisations: exposure metrics, exploitation observed and remediation status.<\/p>\n","protected":false},"author":1,"featured_media":2095,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[45,77,3233,89,135,136,188,3232,3203,277,318,352,388],"class_list":["post-2030","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-backdoor","tag-compromissioni","tag-country-level-telemetry","tag-cve","tag-exchange","tag-exchange-server","tag-italia","tag-italy-report","tag-microsoft-exchange","tag-proxylogon","tag-sicurezza","tag-threat-actor","tag-webshell"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2030"}],"version-history":[{"count":12,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2030\/revisions"}],"predecessor-version":[{"id":9881,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2030\/revisions\/9881"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}