The Incident: Exchange Compromise in Motion
In March 2024, a Hong Kong investment firm detected Cobalt Strike beacon alerts from Fortigate and Symantec. Unknown to the team, a threat actor had already entrenched itself for weeks—abusing ProxyShell vulnerabilities (CVE-2021-34473, -34523, -31207) to execute code remotely on Exchange servers.
The attacker established persistence with multiple webshells (ps5.aspx, proxy.aspx, god.aspx) and backdoored DLLs, while deploying an IOX-variant tunnelling tool (tst.log) for covert command-and-control. Antivirus was disabled and event logs wiped to hinder forensics. By the time the firm activated IR-1, one domain controller and two Exchange servers were compromised.
IR-1 in Action: Swift Containment and Attribution
Blackpanda responders isolated affected hosts, triaged artefacts, and reconstructed the attacker’s campaign.
Key Findings
- Initial entry via unpatched ProxyShell vulnerabilities
- Persistent webshells enabling arbitrary commands
- Obfuscated DLL persistence and autorun scripts
- Lateral movement using stolen admin credentials (victorlam_adm)
- Cobalt Strike beacons identified and neutralised
- Logging / AV evasion confirmed
- External C2 via IOX variant linked to U.S. infrastructure “Toomanygs”
“This wasn’t ransomware—it was stealth, escalation, and persistence. IR-1 got us back in control.”
— CTO, Hong Kong Investment Firm
Cost Savings Snapshot
All prices are indicative and subject to change at any time.
What Could Have Happened Without IR-1
Without IR-1, the firm risked:
- Complete Active Directory takeover
- Weeks of unnoticed attacker persistence
- Regulatory and reputational fallout
- Uncontrolled consulting spend
IR-1 delivered:
- Immediate mobilisation of DFIR experts
- Detailed attack reconstruction and attribution
- Full persistence eradication
- Strategic hardening guidance
Beyond the Response: Long-Term Resilience
Blackpanda provided tactical and strategic uplift:
- Hardening of Exchange and AD servers
- Removal of legacy admin accounts
- Patch validation and upgrade support
- IP-based access controls for Exchange logins
- Migration to next-gen EDR with forensic support
- Continuous compromise assessment across infrastructure
Already an IR-1 Customer? You’re Covered.
As an IR-1 subscriber, you already have 24/7 access to Asia’s leading cyber incident responders, underwritten by Lloyd’s of London.
Your subscription includes:
- Always-on access to Blackpanda’s DFIR team
- Continuous Attack Surface Management (ASM)
- Discounted cyber insurance directly underwritten by Blackpanda
Cyber emergency? IR-1 puts elite response just a few clicks away.
Frequently Asked Questions
1) What triggered the IR-1 response?
Cobalt Strike beacons detected by Fortigate and Symantec revealed unauthorised command-and-control activity on Exchange servers.
2) Which vulnerabilities were exploited?
The attack abused Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, -34523, -31207) to achieve remote code execution.
3) How did Blackpanda contain the attack?
Responders isolated servers, removed webshells and DLL backdoors, neutralised Cobalt Strike beacons, and re-established clean operations within 24 hours.
4) Was any data exfiltrated or encrypted?
No evidence of data exfiltration or encryption was found; the threat focused on persistence and privilege escalation.
5) What persistence methods were used?
Multiple ASP.NET webshells, compiled DLL backdoors, autorun scripts, and IOX-based tunnelling tools for external C2.
6) What steps did the firm take after containment?
Patched Exchange and Windows systems, removed unused accounts, hardened access controls, and deployed EDR with forensic capabilities.
7) How did IR-1 improve response speed?
IR-1 enabled same-day deployment without contracting delays, ensuring forensics and remediation began immediately.
8) What were the cost savings?
Compared to estimated consulting fees of USD 33,000 for traditional engagements, IR-1’s annual subscription avoided tens of thousands in reactive spend.
9) Could this have been prevented?
Yes—timely patching of Exchange servers and continuous vulnerability monitoring would have closed the ProxyShell exposure before exploitation.
10) What key lesson should organisations take away?
Even well-secured financial institutions remain vulnerable to unpatched software. Fast, pre-authorised incident response through IR-1 is critical for containment and recovery.
.png)
