{"id":941,"date":"2021-03-03T14:54:30","date_gmt":"2021-03-03T06:54:30","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=941"},"modified":"2021-03-03T14:54:30","modified_gmt":"2021-03-03T06:54:30","slug":"microsoft%e7%b7%8a%e6%80%a5%e7%99%bc%e5%b8%834%e5%80%8b%e9%9b%b6%e6%99%82%e5%b7%ae%e6%bc%8f%e6%b4%9e%e7%9a%84%e4%bf%ae%e8%a3%9c%ef%bc%8c%e8%ab%8b%e7%ab%8b%e5%8d%b3%e6%9b%b4%e6%96%b0","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=941","title":{"rendered":"Microsoft\u7dca\u6025\u767c\u5e034\u500b\u96f6\u6642\u5dee\u6f0f\u6d1e\u7684\u4fee\u88dc\uff0c\u8acb\u7acb\u5373\u66f4\u65b0"},"content":{"rendered":"\n<p>KEY POINTS:<\/p>\n\n\n\n<p>*\u5fae\u8edf\u8868\u793a\u4e00\u500b\u4e2d\u570b\u653f\u5e9c\u8cc7\u52a9\u65b0\u7684\u99ed\u5ba2\u7d44\u7e54\u201dHafnium\u201d\u958b\u63a1\u4e86\u5176\u90f5\u4ef6\u4f3a\u670d\u5668\u7a0b\u5f0f\u78bc\u4e2d\u65b0\u767c\u73fe\u7684\u6f0f\u6d1e<\/p>\n\n\n\n<p>*\u76ee\u6a19\u5305\u62ec\u7f8e\u570b\u50b3\u67d3\u75c5\u7814\u7a76\u4eba\u54e1\uff0c\u5f8b\u5e2b\u4e8b\u52d9\u6240\uff0c\u9ad8\u7b49\u6559\u80b2\u6a5f\u69cb\uff0c\u570b\u9632\u627f\u5305\u5546\uff0c\u653f\u7b56\u667a\u5eab\u548c\u975e\u653f\u5e9c\u7d44\u7e54<\/p>\n\n\n\n<p>\u5fae\u8edf\u57283\u67082\u65e5\u8868\u793a\uff0c\u4e2d\u570b\u653f\u5e9c\u8cc7\u52a9\u65b0\u7684\u570b\u5bb6\u7d1a\u99ed\u5ba2\u7d44\u7e54\u6b63\u5728\u5229\u7528\u6538\u95dc\u5176Exchange\u4f3a\u670d\u5668\u4e2d\u4ee5\u524d\u672a\u88ab\u767c\u73fe\u7684\u56db\u500b\u96f6\u6642\u5dee\u6f0f\u6d1e\uff0c\u5f9e\u9060\u7aef\u5165\u4fb5\u96fb\u5b50\u90f5\u4ef6\u4fe1\u7bb1\u3002\u5fae\u8edf\u7a31\uff0cHafnium\u80fd\u5229\u7528\u9019\u56db\u500b\u65b0\u767c\u73fe\u7684\u96f6\u6642\u5dee\u6f0f\u6d1e\u95d6\u5165\u4e86\u516c\u53f8\u7db2\u8def\u4e0a\u904b\u884c\u7684Exchange\u96fb\u5b50\u90f5\u4ef6\u4f3a\u670d\u5668\uff0c\u5f9e\u800c\u4f7f\u653b\u64ca\u8005\u80fd\u5920\u5f9e\u53d7\u5bb3\u8005\u7684\u7d44\u7e54\u4e2d\u7aca\u53d6\u6578\u64da\uff08\u4f8b\u5982\u96fb\u5b50\u90f5\u4ef6\u5e33\u6236\u548c\u901a\u8a0a\u9304\uff09\uff0c\u4e26\u4e14\u80fd\u5920\u690d\u5165\u60e1\u610f\u8edf\u9ad4\uff0c\u5df2\u767c\u73feHafnium\u80fd\u5c07\u56db\u500b\u96f6\u65e5\u6f0f\u6d1e\u7d44\u5408\u4e00\u8d77\u540c\u6642\u958b\u63a1\uff0c\u5f62\u6210\u4e00\u689d\u653b\u64ca\u93c8\uff0c\u8a72\u653b\u64ca\u93c8\u53ef\u7834\u58de\u904b\u884c\u7684Exchange 2013\u6216\u66f4\u65b0\u7248\u672c\u7684\u843d\u5730\u4f3a\u670d\u5668(\u5305\u62ecExchange Server 2013\u30012016\u548c2019\u3002)<\/p>\n\n\n\n<p>\u70ba\u4e86\u4f7f\u653b\u64ca\u8d77\u4f5c\u7528\uff0c\u99ed\u5ba2\u9700\u8981\u5b58\u53d6\u5fae\u8edf\u843d\u5730\u7248Exchange\u4f3a\u670d\u5668\u4e0a\u7684port 443 \uff0c\u5982\u679c\u53ef\u7528\u5b58\u53d6\uff0c\u5247\u53ef\u4f7f\u99ed\u5ba2\u5229\u7528\u4ee5\u4e0b\u6f0f\u6d1e\u7372\u53d6\u9060\u7aef\u5b58\u53d6\uff1a<\/p>\n\n\n\n<p>CVE-2021-26855\u662f\u4e00\u500b\u4f3a\u670d\u5668\u7aef\u8acb\u6c42\u507d\u9020(Server-Side Request Forgery)\u6f0f\u6d1e\uff0c\u5728\u8a72\u6f0f\u6d1e\u4e2d\uff0c\u4f3a\u670d\u5668\uff08\u5728\u9019\u7a2e\u60c5\u6cc1\u4e0b\u70ba\u843d\u5730Exchange Server\uff09\u53ef\u80fd\u6703\u88ab\u8a98\u9a19\u5230\u904b\u884c\u672c\u4e0d\u61c9\u88ab\u5141\u8a31\u904b\u884c\u7684\u547d\u4ee4\u4e2d\uff0c\u4f8b\u5982\u901a\u904eExchange\u4f3a\u670d\u5668\u672c\u8eab\u9032\u884c\u8eab\u4efd\u9a57\u8b49\u3002<\/p>\n\n\n\n<p>\u653b\u64ca\u8005\u4f7f\u7528CVE-2021-26857\u5728\u76ee\u6a19Exchange\u4f3a\u670d\u5668\u4e0a\u7684\u201c\u7cfb\u7d71\u201d\u5e33\u6236\u4e0b\u904b\u884c\u4ed6\u5011\u9078\u64c7\u7684\u7a0b\u5f0f\u78bc\u3002\u5176\u4ed6\u5169\u500b\u96f6\u6642\u5dee\u6f0f\u6d1e\uff08CVE-2021-26858\u548cCVE-2021-27065\uff09\u53ef\u80fd\u4f7f\u653b\u64ca\u8005\u53ef\u4ee5\u5c07\u6587\u4ef6\u5beb\u5165\u4f3a\u670d\u5668\u7684\u4efb\u4f55\u90e8\u5206\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"217\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/03\/nmap-script-1024x217.jpg\" alt=\"\" class=\"wp-image-942\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/03\/nmap-script-1024x217.jpg 1024w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/03\/nmap-script-300x64.jpg 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/03\/nmap-script-768x163.jpg 768w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/03\/nmap-script.jpg 1526w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption><strong>\u4f7f\u7528nmap\u8173\u672c\u6307\u4ee4\u53ef\u6383\u51faMicrosoft Exchange Server\u7684\u5f31\u9ede\u793a\u610f\u5716<\/strong><\/figcaption><\/figure>\n\n\n\n<p>\u5fae\u8edf\u8868\u793a\uff0c\u5229\u7528\u9019\u4e9b\u6f0f\u6d1e\u7372\u5f97\u521d\u59cb\u8a2a\u554f\u6b0a\u9650\u5f8c\uff0cHafnium\u5728\u53d7\u611f\u67d3\u7684\u4f3a\u670d\u5668\u4e0a\u90e8\u7f72\u4e86Web Shell\u3002Web Shell\u672c\u8cea\u4e0a\u662f\u8edf\u9ad4\u5f8c\u9580\uff0c\u5b83\u4f7f\u653b\u64ca\u8005\u53ef\u4ee5\u7aca\u53d6\u6578\u64da\u4e26\u57f7\u884c\u5176\u4ed6\u60e1\u610f\u64cd\u4f5c\uff0c\u5f9e\u800c\u9032\u4e00\u6b65\u7834\u58de\u5b89\u5168\u6027\u3002<\/p>\n\n\n\n<p>\u5728Microsoft\u548c\u8cc7\u5b89\u516c\u53f8<a href=\"https:\/\/www.volexity.com\/blog\/2021\/03\/02\/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\/\">Volexity\u4eca\u65e5\u767c\u5e03<\/a>\u7684\u5831\u544a\u4e2d\uff0c\u5169\u5bb6\u516c\u53f8\u8868\u793a\uff0cHafnium\u4f7f\u7528\u9019\u56db\u500bExchange\u96f6\u6642\u5dee\u6f0f\u6d1e\u4f5c\u70ba\u591a\u90e8\u5206\u653b\u64ca\u93c8\u7684\u4e00\u90e8\u5206\uff0c\u4ee5\u7e5e\u904e\u8eab\u4efd\u9a57\u8b49\u904e\u7a0b\uff0c\u7372\u53d6\u7ba1\u7406\u54e1\u7279\u6b0a\uff0c\u7136\u5f8c\u5b89\u88ddASPX Web Shell\u5728\u53d7\u611f\u67d3\u7684\u4f3a\u670d\u5668\u4e0a\u3002<\/p>\n\n\n\n<p>\u4e00\u65e6\u653b\u64ca\u8005\u5728\u7d44\u7e54\u7684Exchange\u4f3a\u670d\u5668\u4e2d\u7acb\u8db3\uff0c\u4ed6\u5011\u4fbf\u958b\u59cb\u5c0e\u51fa\u96fb\u5b50\u90f5\u4ef6\u6536\u4ef6\u7bb1\u548c\u5730\u5740\u7c3f\u7684\u5167\u5bb9\uff0c\u4e26\u53ef\u5c07\u6578\u64da\u4e0a\u50b3\u5230\u9060\u7aef\u4f3a\u670d\u5668\u3002<\/p>\n\n\n\n<p>Volexity\u8868\u793a\u662f\u5728\u5176\u5169\u500b\u5ba2\u6236\u7684Exchange\u4f3a\u670d\u5668\u4e0a\u6aa2\u6e2c\u5230\u7684\u9019\u4e9b\u53ef\u7591\u4e0a\u50b3\u3002\u96a8\u5f8c\u7684\u8abf\u67e5\u767c\u73fe\u4e86\u6301\u7e8c\u7684\u653b\u64ca\uff0c\u8a72\u5b89\u5168\u516c\u53f8\u8868\u793a\u5df2\u5c07\u8abf\u67e5\u7d50\u679c\u5831\u544a\u7d66\u4e86Microsoft\u3002Volexity\u9084\u8868\u793a\uff0c\u5b83\u53ef\u4ee5\u8ffd\u6eaf\u52302021\u5e741\u6708\u7684\u653b\u64ca\u3002\u5fae\u8edf\u9084\u8aaa\uff0c\u5b83\u4e5f\u6536\u5230\u4e86\u4e39\u9ea5\u8cc7\u5b89\u516c\u53f8Dubex\u95dc\u65bc\u653b\u64ca\u7684\u7b2c\u4e8c\u4efd\u5831\u544a\u3002<\/p>\n\n\n\n<p>\u5fae\u8edf\u62d2\u7d55\u900f\u9732\u5df2\u7d93\u770b\u5230\u591a\u5c11\u6b21\u6210\u529f\u7684\u653b\u64ca\uff0c\u4f46\u5c07\u5176\u63cf\u8ff0\u70ba\u201c\u6709\u9650\u7684\u201d\u3002<\/p>\n\n\n\n<p>\u63d0\u4f9b\u95dc\u65bc\u6b64\u6b21\u4e8b\u4ef6\u7684\u60e1\u610fIPs\u6e05\u55ae \uff0c\u4f9b\u8cb4\u53f8\u7684SIEM\u6216Logger\u4f7f\u7528:<\/p>\n\n\n\n<p>103.77.192.219<\/p>\n\n\n\n<p>104.140.114.110<\/p>\n\n\n\n<p>104.250.191.110<\/p>\n\n\n\n<p>108.61.246.56<\/p>\n\n\n\n<p>149.28.14.163<\/p>\n\n\n\n<p>157.230.221.198<\/p>\n\n\n\n<p>167.99.168.251<\/p>\n\n\n\n<p>185.250.151.72<\/p>\n\n\n\n<p>192.81.208.169<\/p>\n\n\n\n<p>203.160.69.66<\/p>\n\n\n\n<p>211.56.98.146<\/p>\n\n\n\n<p>5.254.43.18<\/p>\n\n\n\n<p>5.2.69.14<\/p>\n\n\n\n<p>80.92.205.81<\/p>\n\n\n\n<p>91.192.103.43<\/p>\n\n\n\n<p>\u6709\u95dc\u99ed\u5ba2\u7d44\u7e54Hafnium\u958b\u63a1Microsoft Exchange Server\u7684\u96f6\u6642\u5dee\u6f0f\u6d1e\u7684\u60c5\u8cc7:<\/p>\n\n\n\n<p><a href=\"https:\/\/otx.alienvault.com\/pulse\/603eb1abdd4812819c64e197\">https:\/\/otx.alienvault.com\/pulse\/603eb1abdd4812819c64e197<\/a><\/p>\n\n\n\n<p>\u66f4\u591a\u6709\u95dc\u8cc7\u8a0a\u8acb\u9ede\u64ca\u9019\u88e1\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/02\/hafnium-targeting-exchange-servers\/\">https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/02\/hafnium-targeting-exchange-servers\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2021\/03\/02\/new-nation-state-cyberattacks\/\">https:\/\/blogs.microsoft.com\/on-the-issues\/2021\/03\/02\/new-nation-state-cyberattacks\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-march-2021-exchange-server-security-updates\/ba-p\/2175901\">https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-march-2021-exchange-server-security-updates\/ba-p\/2175901<\/a><\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-volexity wp-block-embed-volexity\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"H9qUuNHBKR\"><a href=\"https:\/\/www.volexity.com\/blog\/2021\/03\/02\/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\/\">Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities&#8221; &#8212; Volexity\" src=\"https:\/\/www.volexity.com\/blog\/2021\/03\/02\/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\/embed\/#?secret=H9qUuNHBKR\" data-secret=\"H9qUuNHBKR\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>KEY POINTS: *\u5fae\u8edf\u8868\u793a\u4e00\u500b\u4e2d\u570b\u653f\u5e9c\u8cc7\u52a9\u65b0\u7684\u99ed\u5ba2\u7d44\u7e54\u201dHafnium\u201d\u958b\u63a1\u4e86\u5176\u90f5\u4ef6\u4f3a\u670d\u5668\u7a0b\u5f0f\u78bc\u4e2d\u65b0\u767c <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=941\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[149,150,112],"class_list":["post-941","post","type-post","status-publish","format-standard","hentry","category-6","tag-hafnium","tag-microsoft-exchange-server","tag-112"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/941","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=941"}],"version-history":[{"count":2,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/941\/revisions"}],"predecessor-version":[{"id":944,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/941\/revisions\/944"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}