Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Data Sheets
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoStart Free Trial
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Data Sheets
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoStart Free Trial

Have you patched the vulnerabilities in Microsoft Exchange Server?

Threat Level – Red | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here.

Microsoft Exchange Server vulnerabilities have been officially patched for five months now. These vulnerabilities are actively exploited by multiple threat actors named DeadRinger. DeadRinger has been affecting the telecommunication industry all around the world. DeadRinger consists of three clusters. The first one includes threat group Softcell which has been active since 2012. The Naikon group, which has been active since 2020, is the second cluster. We discovered that the signatures match those of TG-3390, making it the third cluster.

As a response, Hive Pro Threat Researchers advises that you address these vulnerabilities.

The Techniques used by the DeadRinger includes:T1592: Gather Victim Host InformationT1595: Active ScanningT1590: Gather Victim Network InformationT1190: Exploit Public-Facing ApplicationT1059: Command and Scripting InterpreterT1047: Windows Management InstrumentationT1059.001: Command and Scripting Interpreter: PowerShellT1505.003: Server Software Component: Web ShellT1136: Create AccountT1053: Scheduled Task/JobT1078: Valid AccountsT1574: Hijack Execution FlowT1027.005: Obfuscated Files or Information: Indicator Removal from ToolsT1027: Obfuscated Files or InformationT1036: MasqueradingT1070.006: Indicator Removal on Host: TimestompT1140: Deobfuscate/Decode Files or InformationT1040: Network SniffingT1087: Account DiscoveryT1018: Remote System DiscoveryT1071.001: Application Layer Protocol: Web ProtocolsT1041: Exfiltration Over C2 ChannelT1021.002: Remote Services: SMB/Windows Admin SharesT1550.002: Use Alternate Authentication Material: Pass the HashT1105: Ingress Tool TransferT1555: Credentials from Password StoresT1003: OS Credential DumpingT1016: System Network Configuration DiscoveryT1069: Permission Groups DiscoveryT1560: Archive Collected DataT1569: System ServicesT1543.003: Create or Modify System Process: Windows ServiceT1574.002: Hijack Execution Flow: DLL Side-LoadingT1570: Lateral Tool TransferT1056.001: Input Capture: KeyloggingT1573: Encrypted Channel

Vulnerability Details

Actor Details

Indicators of Compromise (IoCs)

TypeValue
IP Address47.56.86[.]44
45.76.213[.]2
45.123.118[.]232
101.132.251[.]212
SHA-1 Hash19e961e2642e87deb2db6ca8fc2342f4b688a45c 
ba8f2843e2fb5274394b3c81abc3c2202d9ba592
243cd77cfa03f58f6e6568e011e1d6d85969a3a2
c549a16aaa9901c652b7bc576e980ec2a008a2e0
c2850993bffc8330cff3cb89e9c7652b8819f57f
440e04d0cc5e842c94793baf31e0d188511f0ace
e2340b27a4b759e0e2842bfe5aa48dda7450af4c
15336340db8b73bf73a17c227eb0c59b5a4dece2
5bc5dbe3a2ffd5ed1cd9f0c562564c8b72ae2055
0dc49c5438a5d80ef31df4a4ccaab92685da3fc6
81cfcf3f8213bce4ca6a460e1db9e7dd1474ba52
e93ceb7938120a87c6c69434a6815f0da42ab7f2
207b7cf5db59d70d4789cb91194c732bcd1cfb4b
71999e468252b7458e06f76b5c746a4f4b3aaa58
39c5c45dbec92fa99ad37c4bab09164325dbeea0
efc6c117ecc6253ed7400c53b2e148d5e4068636
a3c5c0e93f6925846fab5f3c69094d8a465828e9
a4232973418ee44713e59e0eae2381a42db5f54c
5602bf8710b1521f6284685d835d5d1df0679b0f
e3fcda85f5f42a2bffb65f3b8deeb523f8db2302
720556854fb4bcf83b9ceb9515fbe3f5cb182dd5
b699861850e4e6fde73dfbdb761645e2270f9c9a
6516d73f8d4dba83ca8c0330d3f180c0830af6a0
99f8263808c7e737667a73a606cbb8bf0d6f0980
a5b193118960184fe3aa3b1ea7d8fd1c00423ed6
92ce6af826d2fb8a03d6de7d8aa930b4f94bc2db
d9e828fb891f033656a0797f5fc6d276fbc9748f
87c3dc2ae65dcd818c12c1a4e4368f05719dc036
DomainCymkpuadkduz[.]xyz
nw.eiyfmrn[.]com
jdk.gsvvfsso[.]com
ttareyice.jkub[.]com
my.eiyfmrn[.]com
A.jrmfeeder[.]org
afhkl.dseqoorg[.]com

Patch Links

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065

References

https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos

https://www.zdnet.com/article/deadringer-chinese-apts-strike-major-telecommunications-companies/

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox