Search
  • For Individuals
      « Back
    • Windows Data Recovery

      Recovers lost or deleted Office documents, emails, presentations & multimedia files.

      Free Standard Professional Premium

    • Mac Data Recovery

      Recovers deleted files, photos, videos etc. on Mac.

      Free Standard Professional Premium

    • Photo Recovery

      Recover photos, videos, & audio files from all cameras and storage on Windows or Mac.

      Free Standard Professional Premium

    • Video Repair
    • Photo Repair
    • iPhone Data Recovery
  • For Business
      « Back
    • Email Repair & Converter

      Repair for Exchange Converter for EDB Converter for OST Converter for NSF Converter for OST MBOX Repair for Outlook

    • Database & File Repair

      Repair for MS SQL Repair for Access Repair for QuickBooks Software Repair for Excel Extractor for Windows Backup Repair for MySQL

    • Data Recovery & Erasure

      Data Recovery Professional Data Recovery Technician Mac Recovery for Technician Virtual Machine Recovery File Erasure Software Mobile Erasure Drive Erasure File Eraser Software File Eraser Software for Mac

    • Toolkit

      Exchange Toolkit Outlook Toolkit File Repair Toolkit MS SQL Toolkit Data Recovery Toolkit

    • Forensic

      Email Forensic Exchange Auditor Log Analyzer for MySQL Log Analyzer for MS SQL

  • Store
  • Partners
  • Services
  • Offers
  • Support

 

  • For Individuals
    DIY software for anyone who works with data.

    Windows Data Recovery Recovers lost or deleted Office documents, emails, presentations & multimedia files

    Free Standard Professional Premium

    Mac Data Recovery Especially for Mac users to recover deleted documents and multimedia files from macOS

    Free Standard Professional Premium

    Video Repair Windows Mac Repair multiple corrupt videos in one go. Supports MP4, MOV & other formats.

    StandardPremium

    Photo Recovery Windows Mac Recover photos, videos, & audio files from all cameras and storage on Windows or Mac.

    Standard Professional Premium

    iPhone Data Recovery Windows Mac Recover deleted photos, videos, contacts, messages etc. directly from iPhone & iPad

    Recover Erase Toolkit

    Photo Repair Windows Mac Repair multiple corrupt photos in one go. Supports JPEG & other formats.

    Standard Professional Premium


  • For Business
    • Email Repair
    • Email Converter
    • File Repair
    • Data Recovery & Erasure
    • Toolkit
    • Forensic

    Exchange Repair Repair corrupt EDB file & export mailboxes to Live Exchange or Office 365

    Outlook PST Repair Repair corrupt PST & recover all mailbox items including deleted emails & contacts

    OLM Repair Repair Outlook for Mac (OLM) 2011 & 2016 backup files & recover all mailbox items

    Exchange Toolkit Repair EDB & Exchange backup file to restore mailboxes, convert OST to PST, & convert EDB to PST

    Active Directory Repair Repair corrupt Active Directory database (Ntds.dit file) & extract all objects in original form

    EDB to PST Convert online & offline EDB file & extract all mailbox items including Public Folders in PST

    OST to PST Convert inaccessible OST file & extract all mailbox items including deleted emails in PST

    NSF to PST Convert IBM Notes NSF file & export all mailbox items including emails & attachments to PST

    MBOX to PST Convert MBOX file of Thunderbird, Entourage & other clients, & export mailbox data to PST

    OLM to PST Convert Outlook for Mac Data File (OLM) & export all mailbox data to PST in original form

    GroupWise to PST Convert GroupWise mail & export all mailbox items - emails, attachments, etc. - to PST

    EML to PST Convert Windows Live Mail (EML) file & export mailbox data - emails, attachments, etc. - to PST

    Office 365 to PST Connect to Office 365 account & export mailbox data to PST and various other formats

    DBX to PST Convert Outlook Express (DBX) file & export all mailbox data - emails, attachments, etc. - to PST

    SQL Repair Repair corrupt .mdf & .ndf files and recover all database components in original form

    Access Repair Repair corrupt .ACCDB and .MDB files & recover all records & objects in a new database

    QuickBooks Repair Repair corrupt QuickBooks® data file & recover all file components in original form

    MySQL Repair Repair MyISAM & InnoDB tables and recover all objects - keys, views, tables, triggers, etc.

    Excel Repair Repair corrupt Excel (.XLS & .XLSX) files and recover tables, charts, chart sheet, etc.

    BKF Repair Repair corrupt backup (BKF, ZIP, VHDX and .FD) files and restore complete data

    Database Converter Interconvert MS SQL, MySQL, SQLite, and SQL Anywhere database files

    PowerPoint Repair Repair corrupt PPT files and restore tables, header, footer, & charts, etc. like new

    File Repair Toolkit Repair corrupt Excel, PowerPoint, Word & PDF files & restore data to original form

    Data Recovery Windows Mac Recover lost or deleted data from HDD, SSD, external USB drive, RAID & more.

    Technician Toolkit

    Tape Data Recovery Retrives data from all types and capacities of tape drives including LTO 1, LTO 2, LTO 3, & others.

    Virtual Machine Recovery Recover documents, multimedia files, and database files from any virtual machine

    File Erasure Permanently wipe files and folders, and erase traces of apps and Internet activity.

    Standard Corporate

    Mobile Erasure Certified and permanent data erasure software for iPhones, iPads, & Android devices

    Drive Erasure Certified and permanent data erasure software for HDD, SSD, & other storage media Windows Mac

    Exchange Toolkit 5-in-1 software toolkit to recover Exchange database, convert EDB to PST, convert OST to PST, restore Exchange backup, and reset Windows Server password.

    Outlook Toolkit Comprehensive software suite to repair PST files, merge PST files, eliminate duplicate emails, compact PST files, and recover lost or forgotten Outlook passwords.

    File Repair Toolkit Powerful file repair utility to fix corrupt Word, PowerPoint, and Excel documents created in Microsoft Office. It also repairs corrupt PDF files and recovers all objects.

    MS SQL Toolkit 5-in-1 software toolkit to repair corrupt SQL database, restore database from corrupt backup, reset database password, analyze SQL logs, & interconvert databases.

    Data Recovery Toolkit Software helps to recovers deleted data from Windows, Mac and Linux storage devices. Also supports recovery from RAIDs & Virtual Drives.

    Email Forensic Advanced email forensic solution for cyber experts to audit, analyze, or investigate emails & gather evidences.

    Exchange Auditor Exchange Server monitoring solution to automate audits, scans and generate reports ìn real-time.

    Log Analyzer for MySQL Analyze forensic details of MySQL server database log files such as Redo, General Query, and Binary Log.

    Log Analyzer for MS SQL Track & analyze MS SQL Server database transactions log files.

    Email Forensic
    STELLAR EMAIL FORENSIC

    Advanced email forensic tool to analyze and collect the mailbox data of email clients

    Learn More arrow


    All Products arrow

    All Products arrow

    All Products arrow

    All Products arrow

  • Our Partners
  • Lab Services
  • microphone-icon-android

    Trending Searches

    Data Recovery

    Photo Recovery

    Video Repair

    iPhone Data Recovery

    File Erasure Software

    Exchange Repair

    OST to PST

    PST Repair

    Raid Recovery

    MS SQL Repair

  • English Deutsch Français Nederlands Italiano Español 日本語 简体中文
  • Support
Exchange Server 4 minute read

Iranian-Backed Ransomware Attacks Targeting Vulnerable Exchange Server

Published on November 23rd, 2021
Ravi Singh
Written By
Ravi Singh
Shaun Hardneck
Approved By
Shaun Hardneck

Summary: A joint advisory issued by Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the National Cyber Security Center (NCSC) warns critical infrastructure organizations against Iranian Advanced Persistent Threat (APT) actors exploiting Fortinet VPN and Exchange ProxyShell vulnerabilities to deploy ransomware.

Iranian-Backed Ransomware Attacks Targeting Vulnerable Exchange Server

Researchers at Microsoft Threat intelligence Center (MSTIC) revealed at least six threat actors from West Asian countries—Iran deploying web shells and ransomware for extortion and sabotaging their victims.

Cybersecurity agencies based in the United States, United Kingdom, and Australia have also issued a joint advisory on the ongoing wave of attacks carried out by state-sponsored threat groups found exploiting the Microsoft Exchange ProxyShell and Fortinet vulnerabilities. The threat actors are actively scanning devices on ports 4443, 8443, and 10443 for following FortiOS vulnerabilities,

  • CVE-2018-13379
  • CVE-2019-5591
  • CVE-2020-12812 (enumerated devices)

The vulnerabilities allow the threat actors to gather text credentials from the session file. It is estimated that threat actors have collected credentials from over 900 Fortinet VPN servers in Europe, the United States, and Israel.

The threat actors are also exploiting the ProxyShell vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to compromise the network and deploy ransomware.

According to MSTIC, the Iranian attackers are increasingly capable, more patient, and persistent with their social engineering campaigns carrying out aggressive brute force attacks in waves of six to eight weeks on average.

Microsoft has provided detailed information on the timeline of ransomware attacks by Iranian APTs that started back in September 2020.

exchnage iranian apt ransomware attack

In another incident, Mandiant researchers found threat actors exploiting the ProxyShell and ProxyLogon vulnerabilities (patched earlier this year) and dropping the web shells in a different way than used earlier—making them difficult to detect.

In some cases, instead of dropping web shells, the threat actors created their hidden privileged mailboxes that can be used to take over other accounts.  

Contents

  • How Are Attackers Deploying Ransomware on Vulnerable Exchange Servers?
  • Steps to Safeguard Your Organization from These Attacks
  • Conclusion

How Are Attackers Deploying Ransomware on Vulnerable Exchange Servers?

After compromising the Exchange Server by exploiting the ProxyShell and ProxyLogon vulnerabilities, the threat actors distribute the malicious email to the company’s users using the compromised Exchange Server. The attackers reply to the company’s emails in reply-chain attack to send malicious attachments.

reply chain attack exchnage server

The email appears to be a continuation of previous emails or discussions between the employees that leads to trusting the email as a legitimate one and tricking the users in the organization to open the malicious attachment.

The downloaded attachments linked in emails are Microsoft Excel templates that ask recipients to ‘Enable Editing’. However, once the Excel sheet is enabled for editing, malicious macros download and install malware, such as Qbot, SquirrelWaffle, Cobalt Strike, etc.

This reply-chain attack bypasses the email protection system and does not raise any alarm, making it effective against human recipients.

Steps to Safeguard Your Organization from These Attacks

According to Shodan, more than 25000 Exchange Servers are still unpatched and vulnerable to ProxyShell attacks.

vulnerable exchange servers

However, the real number of unpatched servers is estimated to be much higher.

Organizations with unpatched internet-facing Exchange Servers are at significant risk. However, Organizations with patched servers also need to strengthen their security and review their Exchange Servers for unknown files or suspicious activities on the server, mailbox permissions, and accounts.

Step 1: Run HealthChecker Script

Download and run HealthChecker.ps1 PowerShell script to check the server health, performance, and configuration issues. You can generate a detailed report in an HTML file by using the following command,

.\HealthChecker.ps1 –BuildHtmlServersReport

health checker html report exchange server health

Step 2: Update Server

To protect your organization from malicious attacks, update the Exchange Server to the latest Cumulative Update and apply the November 2021 Security Updates to patch ProxyShell vulnerabilities. Use the Exchange Deployment Assistant to learn steps to update and patch your Exchange Server with the latest CUs and protect against malicious attacks.

installing exchange server updates

Step 3: Strengthen Server Security

After update, review and fortify server security measures. Also, apply following mitigations to reduce the risk.

  • Check and update the Allow List and Block List to allow/block URLs, files, domains, etc.
  • If your organization is not using FortiOS, add the key artifact used by FortiOS to your organization’s block list and prevent any attempt to install or run this program or associated files.
  • Implement a disaster recovery plan and backup regularly.
  • Enforce strict password policy—Change password after a certain duration and prevent password reuse.
  • Require administrator privilege to install software.
  • Implement 2-Factor or multifactor authentication.
  • Review and audit users with admin privileges.
  • Do not use Public networks or Wi-Fi and use VPN for secure access.
  • Aware and train users in your organization to recognize and avoid phishing emails.

Conclusion

Threat actors are actively scanning vulnerable Exchange Servers and exploiting the ProxyShell vulnerabilities to compromise unpatched Exchange Server and deploy ransomware or install web shells for backdoors and future attacks. Keeping the server unpatched is an open invitation to threat actors. We urge our readers to patch their servers and strengthen server security as soon as possible to stay protected against these threats.

However, in an unfortunate incident, if your server is compromised or crashed after the malicious attack, set up a new Exchange server. Never use the compromised server even if it’s fixed, as it may have web shells that attackers may use for future attacks.

Use the backup to restore mailboxes on the new server or an Exchange recovery software, such as Stellar Repair for Exchange, if the backup isn’t available. The software helps you recover mailboxes from the database on a compromised Exchange Server, even if the database is inaccessible or corrupt, and restores them to your new Exchange Server or Office 365 tenant directly in a few clicks.

About The Author

Ravi Singh

Ravi Singh is a Senior Writer at Stellar®. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 6 years of experience in technical writing. He writes about Data Recovery, File Repair, Email Migration, Linux, Windows, Mac, and DIY Tech. Ravi spends most of his weekends working with IoT devices and playing games on the Xbox. He is also a solo traveler who loves hiking and exploring new trails.

Best Selling Products

Stellar Repair for Exchange

Stellar Repair for Exchange

Software recommended by MVPs & Administr

Read More
Stellar Toolkit for Exchange

Stellar Toolkit for Exchange

5-in-1 suite of specialized tools, highl

Read More
Stellar Converter for EDB

Stellar Converter for EDB

Stellar Converter for EDB is a professio

Read More
Stellar Converter for OST

Stellar Converter for OST

Powerful software trusted by Microsoft M

Read More

Leave a comment Cancel reply

Your email address will not be published. Required fields are marked *

  +  2  =  12

Table of Contents    

  1. How Are Attackers Deploying Ransomware on Vulnerable Exchange Servers?
  2. Steps to Safeguard Your Organization from These Attacks
  3. Conclusion

Categories

offer banner

Related Posts

related post
Exchange Server

New ToddyCat APT Gang Targeting Microsoft Exchange Servers

Stellar Author Ravi Singh June 24, 2022 Read More
related post
Exchange Server

‘BlackCat’ Ransomware Crew Targeting Unpatched Microsoft Exchange Servers

Stellar Author Ravi Singh June 21, 2022 Read More
related post
Exchange Server

How to Fix Error – LDAP Server is Unavailable?

Stellar Author Ravi Singh June 1, 2022 Read More

Stellar Official Website

Stellar Data Recovery Inc.
48 Bridge Street Metuchen,
New Jersey 08840,
United States

ALSO AVAILABLE AT

Partner Logo

About

  • About us
  • Career
  • ISMS Policy
  • Privacy Policy
  • Terms of Use
  • License Policy
  • Refund Policy
  • End User License Agreement

RESOURCES

  • Blog
  • Articles
  • Product Videos
  • Knowledge Base
  • Case Studies
  • Whitepapers
  • Software Catalog

NEWS & EVENTS

  • News
  • Events

PARTNERS

  • Affiliates
  • Resellers
  • Distributors

Useful Links

  • Contact Us
  • Support
  • Special Offers
  • Student Discounts
  • Awards & Reviews
  • Downloads
  • Store
  • Sitemap
Follow Us

tw in yt

Stellar & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2022 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

Hippa Logo tuv footer partner logo DMCA.com Protection Status
We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!