I’m running a Keycloak server on an AWS EC2 instance (project still in development, not many users).
AWS has been sending me “abuse reports” saying that my Keycloak server is a Microsoft Exchange server and that I must apply Microsoft’s latest security patches (in response to last week’s hacks).
These emails confused me. Does Keycloak run Microsoft Exchange under the hood or something? Or has AWS made a mistake? Has anyone else received these emails from AWS?
Here are the emails (some redaction):
Hello,
We are forwarding this to you as the Exchange IP is located on your account.
[server details redacted]
This is to inform you of an issue which we believe is related to an email service run by someone that may have a relationship with your organization. We wanted to get this information to you as quickly as possible since there may be significant impact to the owners of these systems.
In short, a set of vulnerabilities were published late last week by Microsoft which could allow an adversary full control over an internet connected Exchange server. Microsoft has made patches available for these vulnerabilities and we suggest that you review and expedite the patching of your exchange services.
Additionally, we have attached a list of servers which were in the disclosure to us by a third party who we believe may have a relationship with your company. The third party has indicated that the machines listed may have been compromised, potentially allowing an attacker full control over the server and potentially other portions of your network connected to or trusted by that endpoint. In addition, a number of machines were confirmed to have been compromised and have been indicated as such under the “Confirmed Root Shell” column in the table below.
Further information about this issue can be found at the following links:
[ links removed ]
We would suggest that the impacted parties get in touch with Law Enforcement if they can confirm the compromise. The first link also provides contact information for reporting any compromises or requesting additional information.
Regards,
AWS Trust & Safety
Amazon Web Services, LLC
—Beginning of forwarded report(s)—
- Log Extract:
Exchange Server IP Exchange SSL Cert SSL Cert A record WWW A Record Mail A Record Confirmed Root Exchange ASN Exchange ASNAME WWW ASN WWW ASNAME MAIL ASN MAIL ASNAME SSL DOM SOA IP CONTACT
52.63.29.62 *.suredrop.dev None None 54.253.136.108 FALSE 16509 AMAZON-02 16509 AMAZON-02 awsdns-hostmaster.amazon.com. amzn-noc-contact@amazon.com
Hello,
AWS Trust & Safety has received notification from various CIRT and Security Researches about a new vulnerability. It is possible that the instance/IP reported to you is impacted by this vulnerability.
- A server is reachable from public internet on port 443/tcp
- This IP address is offering Outlook Web Access services on this port
*> The version number in the OWA files indicates that the patches Microsoft released on the 2nd of March have not been installed.- We used this script to determine these facts: [link removed]
Using these vulnerabilities and attacker can:
- Impersonate the Exchange server
- Execute code with SYSTEM privileges
- Upload random files to the
These vulnerabilities are currently actively being abused. Microsoft has released a blog post about them and the attacks: [ link removed]
Patches are available: [linked removed]
We publish our up to date data on this case on our case page: [link removed]