Privacy policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

OSINT of Exchange 0-day campaign

Introduction

Reports of new 0-day vulnerabilities electrify the Cybersecurity community, especially when they affect commonly used products. Recent news about the successor of the infamous ProxyShell -CVE-2022-41040, CVE-2022-41082 – found in Microsoft Exchange and disclosed by researchers at GTSC Research Lab on 28/09/2022 pushed our TI operations to understand the attackers’ infrastructure better. Our brief analysis is evidence that it is worthwhile to do enrichment of available IOCs to build additional context and try to determine the motivations and origins of threat actors.

OSINT analysis

An IoC regarding a URL has been used in Command Execution stage on GTSC Research Lab, 206[.]188[.]196[.]77, with attached domain rkn-redirect[.]net and several subdomains.

A DNS Resolution change can be observed on 08/08/2022:

With high confidence, an owning server by operator can be linked, based on analysis of SSH Headers changing at the same time as the DNS resolution server.

Based on ETag Header HTTP Response we can identify another server, which is owned by the threat actor and has a certificate attached to mail.ticaret.gov[.]tr-redirect[.]net– 162[.]33.179[.]130

After this we can extract two emails, which are used to register a few of the domains that have been used for spear phishing attacks against government sites in Asia and Europe.

vpscontrollervnc@protonmail[.]com

  • Openattachment[.]net (registered on 2022-05-01)
  • rkn-redirect[.]net (registered on 2022-03-25)
  • openingfile[.]net (registered on 2022-03-24)
  • northapollon[.]com (registered on 2022-03-01)
  • openfile-attachment[.]com (registered on 2022-02-16)
  • united-nation-news[.]com (registered on 2022-03-18)
  • byannika[.]com (registered on 2022-03-01)

netxv@bk[.]ru

  • tr-redirect[.]net (registered on 2022-08-26)
  • web-document[.]com (registered on 2022-08-14)

Part of these domains were hosted on shared hosting, but this short analysis only focuses on standalone servers.

United-nation-news[.]com is attached to 178[.]20[.]40[.]95 since 2022-03-31.

Last active webserver response can be observed on 05/05/2022 with installed Zimbra Collaboration Service:

Openingfile[.]net is attached to 168.100.10.30, which is a standalone server, hosting several subdomains like:

  • mfa-tj[.]download (discovered on 2022-07-12)
  • akipress[.]news (discovered on 2022-03-25
  • mail[.]antikor[.]gov[.]kz[.]openingfile[.]net (discovered on 2022-04-01)
  • mail[.]gov[.]kg[.]openingfile[.]net (discovered on 2022-04-06
  • mail[.]agro[.]gov[.]kg[.]openingfile[.]net (discovered on 2022-05-05)
  • telegram[.]akipress[.]news (discovered on 2022-03-26)
  • mail[.]mfa[.]gov[.]kg[.]openingfile[.]net (discovered on 2022-03-24)
  • mail[.]aop[.]gov[.]af[.]openingfile[.]net (discovered on 2022-04-08)

In this part of the analysis, a malicious character of subdomains is obvious, but additional WHOIS record can be found for akipress[.]news with shared domain with the previously mentioned email address vpscontrollervnc@protonmail[.]com

account0021@protonmail[.]com

  • auth0rization[.]cloud (registered on 2022-05-29)
  • united-nations-news[.]com (changed on 2022-04-01)
  • akipress[.]news (registered on 2022-03-31)
  • application-download[.]net (registered on 2021-12-11)

 

Conclusions

After conducting further investigation, Atos TI team was able to attribute the newest campaign which utilizes a new 0-day RCE vulnerability on MS Exchange servers with medium confidence to a Chinese state-sponsored threat actor.

During our investigation of WHOIS information of the email addresses engaged in the described campaign, we identified multiple potential victims from government entities and media sectors. The Atos TI team discovered many domains used by the threat actor to mimic the legitimate domain of many government institutions from Central Asia countries. Among others, the team was able to identify:

Government sector

  • aop.gov.af[.]openingfile.net – which is mimicking the Administrative Office of the President of the Islamic Republic of Afghanistan
  • agro.gov.kg[.]openingfile.net – which is mimicking the Ministry of Agriculture, Forestry and Water Resources of the Kyrgyz Republic
  • mfa.gov.kg[.]openingfile. net – which is mimicking the Ministry of Finances of the Kyrgyz Republic
  • mail-mfa-gov-openfile-attachment[.]com – which is mimicking the Ministry of Finances of the Kyrgyz Republic
  • mail-es-energo-openfile-attachment[.]com – which is mimicking the National Energy Holding of Kyrgyzstan
  • gov.kg.openingfile.net – which is mimicking the domain of Kyrgyzstan government institutions
  • antikor.gov.kz[.]openingfile. net – which is mimicking the Anti-corruption Agency of the Republic of Kazakhstan
  • Media sector
  • akipress[.]news – which is mimicking the AKIpressNews Agency focused on Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, Uzbekistan.
  • akipress[.]news – which is mimicking the AKIpressNews Agency focused on Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, Uzbekistan.
  • united-nations-news[.]com – which is mimicking the UN news agency.

The discovered infrastructure might be used in a spear phishing campaign by one threat actor.

A hacking group tied to the Chinese government has exploited zero-day vulnerabilities in Microsoft Exchange server in the past, including ProxyLogon, to gain initial access to some of the targeted organizations.

The Chinese ATP’s goal appears to be related to geopolitical interests of China and they have conducted several campaigns to prove that in a past. However, taking into consideration that Chinese threat actors are known for sharing TTPs between themselves, it is hard to attribute to a specific group this exploitation of this 0-day vulnerability.

Posted on: September, 30th

By Atos Threat Intelligence

Follow or contact:

Share this article

Follow us on

Related links

Protecting your business to face cybersecurity challenges
Atos Managed Security Services – Advanced Detection and Response
Security Operation Center, SOC