Exchange Backdoor

Report DIVD-2022-00032 - Exchange Backdoor

Written on 28 Nov 2022 by Gerard Janssen

Case lead: Victor Pasman
Case file: DIVD-2022-00032

On May 10th the Security Operation Center of Dutch cybersecurity company Eye Security got an alert about malicious activity on an Exchange server of one of their customers. Researchers of Eye Security found a backdoor that was probably installed months earlier after an initial ProxyLogon or ProxyShell compromise. The backdoor uses the WinRS service on the server to give a malicious actor with credentials remote access to the server.

On 2 June 2022, Eye Security published a blog about their find. The DIVD started scanning the same day. Researchers of the DIVD found a way to test if Windows Exchange servers exposed to the internet had a backdoor.

The first scan on June 6th showed there were 124 exchange servers exposed to the internet that were possibly backdoored. A notification mail was sent to the owners of these systems.

September 17th there were still 105 servers with a possible backdoor. The system owners were notified, and the case was closed.


Date Description
02 Jun 2022 Eye Security publishes their blog about a backdoor on an Exchange Server
03 Jun 2022 DIVD Starts scanning for infected hosts
06 Jun 2022 First version of this case file
06 Jun 2022 First round of notifications sent
21 Jun 2022 Second round of notifications sent
18 Sep 2022 Third round of notifications sent and case closed