A threat actor reportedly infiltrated the network of and stole data from a financial institution about a month ago by exploiting any of four Microsoft Exchange Server vulnerabilities—CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, or CVE-2021-27065. While patches for all these have been released, users who have not downloaded and installed these could remain at risk.

What Is Known So Far

Nine IP addresses were identified in relation to the ongoing campaign, namely:

• 156[.]194[.]127[.]178
• 112[.]160[.]243[.]172
• 221[.]179[.]87[.]175
• 73[.]184[.]77[.]174
• 41[.]237[.]156[.]15
• 223[.]16[.]210[.]90
• 63[.]76[.]255[.]110
• 218[.]103[.]234[.]104
• 83[.]110[.]215[.]7

We used a variety of domain and IP intelligence tools to get one step closer to identifying the actors behind the attack and determine other potential artifacts that organizations may want to avoid, apart from those identified above and coming from the Palo Alto report.

What Our Deep Dive Revealed

A look at passive Domain Name System (DNS) data showed that the records of seven of the IP addresses in the list above were modified within the year. These are 112[.]160[.]243[.]172, 221[.]179[.]87[.]175, 73[.]184[.]77[.]174, 41[.]237[.]156[.]15, 223[.]16[.]210[.]90, 63[.]76[.]255[.]110, and 218[.]103[.]234[.]104.

Three of them—73[.]184[.]77[.]174, 41[.]237[.]156[.]15, and 218[.]103[.]234[.]104—were updated before 6 March 2021, the date the financial institution was attacked. The remaining four IP addresses whose records were modified this year—112[.]160[.]243[.]172, 221[.]179[.]87[.]175, 223[.]16[.]210[.]90, and 63[.]76[.]255[.]110—were updated after 6 March 2021.

The seven IP addresses were updated while under the maintenance of four organizations. 112[.]160[.]243[.]172, 221[.]179[.]87[.]175, 73[.]184[.]77[.]174 (one range in the netblock), 223[.]16[.]210[.]90, and 63[.]76[.]255[.]110 are maintained by RIPE-NCC-HM-MNT. The netblock 73[.]184[.]77[.]174 is part of is maintained by Comcast while that which contains 41[.]237[.]156[.]15 is handled by AFRINIC. Finally, 218[.]103[.]234[.]104’s block is maintained by HKT Limited.

If research proves that these IP addresses are indeed malicious, takedown requests could be directed to the aforementioned Internet service providers (ISPs).

For utmost protection from vulnerability exploitation, avoiding all possible web properties tied to the threat is also important. As such, we subjected the nine IP addresses to reverse IP/DNS checks and found that they resolved to four domains—c-73-184-77-174[.]hsd1[.]ga[.]comcast[.]net, n218103234104[.]netvigator[.]com, bba422409[.]alshamil[.]net[.]ae, and ircbuhaira[.]dyndns[.]org, which may warrant a closer look at the very least if not blocking. Being wary of similar domains would also be worthwhile.

Organizations that do not want their infrastructures abused by threat actors like those behind this vulnerability exploitation campaign may benefit from monitoring changes made to their DNS records. They could be indicative of compromise for use in upcoming attacks.

Those who want to do more research, meanwhile, can use the artifacts featured in this post as a starting point. Steering clear of the additional domains mentioned above may also be advisable.

For more information on how the artifacts featured in this post were gathered using passive DNS data feeds and tools and possible collaborations, please contact us. Applications to the Typosquatting Community Feed are also open to security professionals wishing to stay up-to-date with suspicious newly registered domains (NRDs).