With evidence suggesting that web shells had been installed, we used recently released Microsoft mitigation and remediation tools to confirm our findings. The modification dates of these files was of particular interest, as Microsoft’s public disclosure of the vulnerabilities on led to their widespread exploitation.
To begin our investigation, we manually checked directories that Microsoft has identified as common destinations for web shell installation as reported by Microsoft.ĭuring this initial check, we identified and isolated three Active Server Page Extended (APSX) files on the server, which had been modified between -05: supp0rt.aspx OutlookEN.aspx and RedirSuiteServerProxy.aspx. If all three stages of the attack are successfully exploited, the threat actor gains unfettered access to the Exchange server. Finally, the threat actor escalates their privileges to gain SYSTEM level access, exploiting CVE-2021-26857. During the second stage, the threat actor deploys a web shell or another payload onto the server, exploiting either CVE-2021-26858 or CVE-2021-27065. In the first stage, the threat actor exploits CVE-2021-26855 to gain illegitimate access to a vulnerable Exchange server and exfiltrate mailboxes. The chain of attack covers three distinct stages. As with all publicly-disclosed computer vulnerabilities, a common vulnerabilities and exposure (CVE) ID number was given to each of the four security flaws. Prior to analysis, we sought to understand the sequence of events involved in this attack. The mail server was therefore vulnerable to the ProxyLogon attack. Given a copy of the virtual hard drive providing a snapshot of the system taken on, we were informed that the security patches had not yet been applied. government agency had scanned the client's Exchange server and identified a file that matched a signature for the attack framework, Cobalt Strike. Our investigation focused on an email server running Microsoft Exchange version 2019.Īt the time of our analysis in March 2021, a U.S. It is estimated that more than 30,000 US organisations have been affected by the exploitation of these security flaws by various threat groups. Operators behind the Lemon Duck malware targeted unpatched Exchange servers to mine cryptocurrency. The exploitation of these vulnerabilities became a new vector for ransomware campaigns including Black Kingdom and DearCry. The public nature of these vulnerabilities meant that the longer organisations delayed patching, the more backdoors could potentially be installed by different threat groups.
0 kommentar(er)
