Welcome to the inaugural installment of Cyber Pathogenesis, Antigen Security’s new cyber threat intelligence series! This series aims to provide actionable information on the modern cybersecurity threat landscape for both network defenders and classic IT practitioners alike.
“For what can war, but endless war, still breed?” – John Milton
The cybersecurity industry has been grappling with an ongoing series of Microsoft (MSFT) Exchange zero-day attacks since Q1 2021. What began with a group China-linked actors termed HAFNIUM targeting victims of traditional foreign intelligence value have devolved into a broad wave of opportunistic crimeware attacks involving costly data extortion schemes, such as ransomware. Antigen recommends any suspected victim self-assess their own risk with a few simple checks.
Inspect the current patch level of both the Exchange and host OS as a first step. Confirm whether the device in question lacks the patches mentioned below and is therefore imminently vulnerable. Microsoft Exchange product team published the following statement on August 25, 2021.
“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities. If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities. Exchange Online customers are also protected (but must make sure that all hybrid Exchange servers are updated).
But if you have not installed either of these security updates, then your servers and data are vulnerable. As we have said several times, it is critical to keep your Exchange servers updated with latest available Cumulative Update (CU) and Security Update (SU).
Your Exchange servers are vulnerable if any of the following are true:
- The server is running an older, unsupported CU (without May 2021 SU);
- The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or
- The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.
In all of the above scenarios, you must install one of latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.
Our recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats. Please update now!”
Once vulnerability is confirmed, check for signs of indicators of compromise (IOC) to better confirm a breach state. Huntress did an outstanding job tracking and publishing IOCs related to the Proxy family of exploits (Logon, Shell, Token etc) seen over the past several months. Below are the most recent IOCs they’ve published.
WebShell File Locations:
C:\Users\All Users\COM
C:\Users\All Users\COM1
C:\Users\All Users\CON
C:\Users\All Users\WHO
C:\Users\All Users\XYZ
C:\Users\All Users\ZOO
C:\Users\All Users\ZING
C:\ProgramData\*
C:\Windows\System32\inetsrv\Config\applicationHost.config
—
Observed Attacker Infrastructure and User-Agent Strings:
37.221.115[.]68 – python-requests/2.25.1
45.144.30[.]18 – python-requests/2.26.0
84.17.46[.]174 – python-requests/2.26.0
116.203.201[.]159 – python-requests/2.26.0
116.203.201[.]159 – Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)
203.184.132[.]186 – python-requests/2.25.1
203.184.132[.]186 – Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)
—
Observed WebShell Filenames and Paths:
C:\inetpub\wwwroot\aspnet_client\HWTJQDMFVMPOON.aspx
C:\inetpub\wwwroot\aspnet_client\VJRFWFCHRULT.aspx
C:\inetpub\wwwroot\aspnet_client\error.aspx
D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\HWTJQDMFVMPOON.aspx
C:\inetpub\wwwroot\aspnet_client\nhmxea.aspx.aspx
C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\d62ffcd688.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\zaivc.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\415cc41ac1.aspx
C:\inetpub\wwwroot\aspnet_client\253283293.aspx
C:\inetpub\wwwroot\aspnet_client\ykmsr.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\6514f55e1a.aspx
C:\inetpub\wwwroot\aspnet_client\KDNLIE.aspx
C:\inetpub\wwwroot\aspnet_client\VOLWMFQWPP.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\VOLWMFQWPP.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\NUQvLIoq.aspx
C:\inetpub\wwwroot\aspnet_client\shell.aspx
C:\inetpub\wwwroot\aspnet_client\updateServer.aspx
NOTE: Automated IOC scans can be performed using Thor Lite.
Both MSFT and Huntress article describe how to eradicate an encountered webshell on an Exchange server. However, eradication should not be confused with absolute risk mitigation. Attackers rely on webshells as an initial means of semi-persistent network access and then often follow up with by installing redundant persistence mechanisms such as beaconing implants or conventional remote desktop management software. Ransomware operators typically then perform the data extortion on multiple levels.
This is all to say, if evidence of compromise is found or strongly suspected: a compromise assessment is essential.
