Security News > 2022 > May > New IceApple exploit toolset deployed on Microsoft Exchange servers
Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography.
The researchers observed IceApple being deployed after the threat actor obtains initial access to the network belonging to organizations in various activity sectors: technology, academic, and government.
According to the researchers, IceApple has been deployed on Microsoft Exchange Server instances but it can also run under Internet Information Services web applications.
The threat actor behind IceApple has a solid grasp of the IIS software.
"Detailed analysis of the modules suggests that IceApple has been developed by an adversary with deep knowledge of the inner workings of IIS software" - CrowdStrike OverWatch.
A closer look reveals that the files have not been randomly created and they are loaded in a way that is not typical of Microsoft Exchange and IIS. Discovering IceApple was possible after CrowdStrike's Falcon cloud-based security solution triggered an alert at a new customer's Microsoft OWA deployment for.
News URL
Related news
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Microsoft issues out-of-band fix for Windows Server 2022 NUMA glitch (source)
- One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers (source)
- Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits (source)
- DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects (source)