4 June 2019

Brute-forcing tools for Microsoft Exchange servers leaked

Brute-forcing tools for Microsoft Exchange servers leaked

A tool for hijacking Microsoft Exchange email accounts allegedly from the arsenal of OilRig APT has been leaked online in a Telegram channel belonging to an individual who goes by the name of Lab Dookhtegan and is responsible for the leak of another six hacking tools on April 2019, which were previously linked by cybersecurity researchers to the OilRig’s operations.

The utility is called Jason and at the moment it is detected by only a few antivirus engines on VirusTotal. According to security expert Omri Segev Moyal from Minerva Labs, the tool is a GUI utility for brute-forcing Microsoft Exchange email servers using pre-compiled lists of username and password combos. It was compiled in 2015, meaning Iranian hackers were using the tool for at least four years in their operations.

However, while the tools leaked in April had been seen in previous OilRig’s campaigns, the Jason is completely new to cybersecurity researchers. At the moment of writing only three antivirus solutions on VirusTotal are able to detect this threat.

OilRig, also known as APT34 and HelixKitten, is a group linked to the Iranian government and is believed to be composed of members of the Iranian Ministry of Intelligence (MOIS). The group is active since at least 2014 and has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications with the focus on the operations within Middle East.

Currently there are seven tools associated with the OilRig group that are publicly available:

  • 2 PowerShell-based backdoors: Poison Frog and Glimpse - both are versions of a tool called BondUpdater, according to Palo Alto Networks;
  • 4 web shells: HyperShell and HighShell, Fox Panel, and Webmask (the DNSpionage tool);
  • Jason email hijacking tool for Microsoft Exchange accounts.

Back to the list

Latest Posts

Hackers actively exploit a recently patched vulnerability in Exim email server software

Hackers actively exploit a recently patched vulnerability in Exim email server software

Millions of Exim email servers are currently under attack.
14 June 2019
FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect.
13 June 2019
Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725.
11 June 2019
Featured vulnerabilities
Stored XSS in FortiWeb reports
Medium Patched | 13 Jun, 2019
Microsoft update for Adobe Flash (June 2019)
High Patched | 12 Jun, 2019