Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

⚠️ THREAT ALERT: Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

The intrusion chain observed against the Azerbaijani energy firm leverages a multi‑stage exploitation of Microsoft Exchange Server, beginning with unauthenticated HTTP POST requests to the legacy “/owa/auth.owa” endpoint. These requests embed crafted XML payloads that trigger the ProxyLogon chain (CVE‑2021‑26855) to achieve server‑side request forgery, allowing the attackers to retrieve the Exchange server’s backend configuration and authentication tokens. Subsequent abuse of the Exchange Web Services (EWS) API (CVE‑2021‑27065) permits remote code execution under the “NT AUTHORITY\SYSTEM” context, after which the threat actors drop a web shell (typically a “dll” or “aspx” payload named “ExchangeShell.aspx”) into the default virtual directory. Persistence is achieved by creating a new Transport Rule (via “Set-TransportConfig”) that forwards inbound mail to an external C2 host and by registering a scheduled task that invokes PowerShell to maintain the web shell’s presence.

Further analysis of the web shell’s activity shows that the operators are chaining the initial Exchange foothold with newer exploits, notably CVE‑2022‑41040 and CVE‑2022‑41082, which target the “Unified Messaging” component to elevate privileges and bypass Exchange’s built‑in mitigations. The attackers also leverage the “UNC2452” style dynamic DNS domains to resolve C2 infrastructure, employing encoded PowerShell commands that download and execute a “Jenkins”‑style back‑door (a 64‑bit “msbuild.exe” payload) from a compromised Azure Blob storage. This secondary payload establishes a persistent reverse HTTPS tunnel through port 443, enabling lateral movement to adjacent PLC management consoles via credential dumping (LSASS memory extraction) and Pass-the-Hash attacks against domain‑joined Windows workstations.

Mitigation must begin with immediate isolation of all Exchange servers from external networks and disabling external access to OWA/EWS until patches are applied. Deploy the cumulative Microsoft Exchange Server updates released in March 2023, which address CVE‑2021‑26855, CVE‑2021‑27065, CVE‑2022‑41040, and CVE‑2022‑41082, and verify that the “Unified Messaging” role is removed or patched. Conduct a forensic sweep for known web shells (searching for “ExchangeShell.aspx”, “.dll” extensions in the “/owa” directory, and anomalous Transport Rules) and purge any detected artifacts. Enforce multi‑factor authentication for all Exchange admin accounts, enable EXO‑Protection advanced threat protection, and implement strict outbound firewall rules limiting HTTPS to known C2 endpoints. Finally, run credential‑access detections (Siemplify/Carbon Black rules for LSASS dumping and Pass‑the‑Hash) and initiate password resets for all service accounts that may have been compromised.

🛡️ CRITICAL SECURITY SCAN REQUIRED

Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.

>> LAUNCH ZERO-DAY THREAT SCANNER <<

Source Intelligence: Full Technical Breakdown