Home / Industry

Looking Into the Latest Microsoft Exchange Server Vulnerability Exploitation

A threat actor reportedly infiltrated the network of and stole data from a financial institution about a month ago by exploiting any of four Microsoft Exchange Server vulnerabilities—CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, or CVE-2021-27065. While patches for all these have been released, users who have not downloaded and installed these could remain at risk.

What Is Known So Far

Nine IP addresses were identified in relation to the ongoing campaign, namely:

  • 156[.]194[.]127[.]178
  • 112[.]160[.]243[.]172
  • 221[.]179[.]87[.]175
  • 73[.]184[.]77[.]174
  • 41[.]237[.]156[.]15
  • 223[.]16[.]210[.]90
  • 63[.]76[.]255[.]110
  • 218[.]103[.]234[.]104
  • 83[.]110[.]215[.]7

We used a variety of domain and IP intelligence tools to get one step closer to identifying the actors behind the attack and determine other potential artifacts that organizations may want to avoid, apart from those identified above and coming from the Palo Alto report.

What Our Deep Dive Revealed

A look at passive Domain Name System (DNS) data showed that the records of seven of the IP addresses in the list above were modified within the year. These are 112[.]160[.]243[.]172, 221[.]179[.]87[.]175, 73[.]184[.]77[.]174, 41[.]237[.]156[.]15, 223[.]16[.]210[.]90, 63[.]76[.]255[.]110, and 218[.]103[.]234[.]104.

Three of them—73[.]184[.]77[.]174, 41[.]237[.]156[.]15, and 218[.]103[.]234[.]104—were updated before 6 March 2021, the date the financial institution was attacked. The remaining four IP addresses whose records were modified this year—112[.]160[.]243[.]172, 221[.]179[.]87[.]175, 223[.]16[.]210[.]90, and 63[.]76[.]255[.]110—were updated after 6 March 2021.

The seven IP addresses were updated while under the maintenance of four organizations. 112[.]160[.]243[.]172, 221[.]179[.]87[.]175, 73[.]184[.]77[.]174 (one range in the netblock), 223[.]16[.]210[.]90, and 63[.]76[.]255[.]110 are maintained by RIPE-NCC-HM-MNT. The netblock 73[.]184[.]77[.]174 is part of is maintained by Comcast while that which contains 41[.]237[.]156[.]15 is handled by AFRINIC. Finally, 218[.]103[.]234[.]104’s block is maintained by HKT Limited.

If research proves that these IP addresses are indeed malicious, takedown requests could be directed to the aforementioned Internet service providers (ISPs).

For utmost protection from vulnerability exploitation, avoiding all possible web properties tied to the threat is also important. As such, we subjected the nine IP addresses to reverse IP/DNS checks and found that they resolved to four domains—c-73-184-77-174[.]hsd1[.]ga[.]comcast[.]net, n218103234104[.]netvigator[.]com, bba422409[.]alshamil[.]net[.]ae, and ircbuhaira[.]dyndns[.]org, which may warrant a closer look at the very least if not blocking. Being wary of similar domains would also be worthwhile.

Organizations that do not want their infrastructures abused by threat actors like those behind this vulnerability exploitation campaign may benefit from monitoring changes made to their DNS records. They could be indicative of compromise for use in upcoming attacks.

Those who want to do more research, meanwhile, can use the artifacts featured in this post as a starting point. Steering clear of the additional domains mentioned above may also be advisable.

For more information on how the artifacts featured in this post were gathered using passive DNS data feeds and tools and possible collaborations, please contact us. Applications to the Typosquatting Community Feed are also open to security professionals wishing to stay up-to-date with suspicious newly registered domains (NRDs).

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API