Scanning for Microsoft Exchange eDiscovery
In the past week, I have notice more scans looking for the following Exchange URL over port 443: /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
What I have also noticed, all these scans for this URL are all from the same subnet (AS14061) DIGITALOCEAN-192-241-128-0.
This activity is likely linked to April Patch Tuesday (CVE-2021-28481) where “Also of significant note are the Microsoft Exchange Server Remote Code Execution vulnerabilities across versions 2013 – 2019. No known exploits are being reported however the CVSS score sits at 9.8, tread carefully. With a Critical rating, and a high CVSS score, those patches are worth reviewing in depth.”
Based on this graph, these scans started almost immediately (17 April 2021) after April patch Tuesday and are still ongoing today.
20210812-170532: 192.168.25.9:443-22.214.171.124:48302 data
GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1
User-Agent: Mozilla/5.0 zgrab/0.x
Indicators of Compromise
126.96.36.199/17 → AS14061
Have you noticed an increase in scans for this URL?
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.