Symantec cybersecurity experts: The China-linked APT used unpatched vulnerabilities in Microsoft Exchange, the Sodamaster backdoor and other custom malware and tools.
Kaspersky cybersecurity experts: It’s a IIS module that steals data entered by a user when logging into OWA. It also allows remote access to targeted servers.
The researcher Steven Seeley: It’s due to improper validation of cmdlet arguments. Exploitation requires an authenticated user in a certain role. Patches have been released.
The cyber security expert, Marco Ramilli, analyzed it to match the clues e find if Iranian state-sponsored hackers are behind the operation. Something says Yes, something diverge.