SPOTLIGHT ON SECURITY – EXCHANGE SERVER ATTACKS


Thursday, March 11th, 2021 | , ,

The information below is a recap of a security bulletin distributed to all Atlas Clients and is also included in this report due to its extreme importance.

Executive Summary:

If you are running an on-premises Microsoft Exchange Server you need to immediately patch it and remove web access to it until you can do so. There is an active exploitation campaign being spearheaded by a Chinese APT group that is chaining together several zero-day exploits to compromise every exchange server they come across. This is a high-priority alert and should be taken seriously. More comprehensive details follow in the writeup below:

Technical Overview:

On March 2nd, Microsoft disclosed that four zero-day vulnerabilities were being used in attacks against Microsoft Exchange servers with the OWA components exposed to the internet. It has been observed that many vessels serviced by VBH are running Microsoft Exchange Servers locally and it is imperative that they be patched as soon as possible. Microsoft has released an emergency out-of-band security update for all exchange server versions targeted in the attack going back to Windows Server 2013 and above. This exploit requires attackers to have access to an exchange server with port 443 exposed to the internet. Until servers can be patched it is recommended that all port forwarding to exchange web services be stopped. Blocking access to port 443 will not stop email from sending or receiving, but only disallow access to exchange over a web interface. All outlook clients will continue working normally.

Microsoft’s in-house implementation used on their hosted exchange services is not affected in this attack, but all locally hosted versions of exchange are. This attack chains together four separate previously non-disclosed exploits ((CVE-2021-26855, CVE-2021-26857,CVE-2021-26858, and CVE-2021-27065) into an attack chain capable of compromising an exchange server that has been patched up to the end of February, 2021. Once compromised, attackers from the HAFNIUM group (a Chinese state-sponsored group) have been observed uploading web shells to exchange servers to maintain access. These web shells allow them to steal data, upload files, and execute almost any command on the compromised system. If the exchange server is on the same network segment as other computers, the attacker can leverage this initial access as a pivot into the rest of the network. They have also been observed extracting credentials from compromised servers to use in lateral movement attacks.

Expert Opinions:

Experts in the security community believe that the initial estimate of 30,000 servers being compromised is low. Mass exploitation has been occurring for over 8 days. If you have an externally facing OWA server, consider yourself compromised and enact IR. The patch fixes the vulnerability, but not the access already established. Also, do not expect calm from this anytime soon and for it to get worse. I would not be surprised in the short term, if access is not sold to various groups including ransomware. It is critical to get the word out there to remove the initial access components and not just patch. Having 2FA on OWA will probably not protect from this attack because MFA does not replace the initial login screen for authentication or how this exploit worked. –Paraphrasing David Kennedy via Twitter

Tools for Detection:

Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has created a Nmap script that can be used to scan a network for potentially vulnerable Microsoft Exchange servers. It can be executed with the command “nmap –script http-vuln-exchange” after downloading the NSE script to the appropriate folder. Additionally, Microsoft has pushed out a new update for their Microsoft Safety Scanner (MSERT) tool to detect web shells deployed in the recent Exchange Server attacks. For organizations not using Microsoft Defender, Microsoft has added the updated signatures to their Microsoft Safety Scanner standalone tool to help organizations find and remove web shells used in these attacks. The most common paths where uploaded webshells reside are the following:

  • %IIS installation path%\aspnet_client\*
  • %IIS installation path%\aspnet_client\system_web\*
  • %Exchange Server installation path%\FrontEnd\HttpProxy\owa\auth\*
  • Configured temporary ASP.NET files path
  • %Exchange Server Installation%\FrontEnd\HttpProxy\ecp\auth\*

CERT Latvia has also released a PowerShell script that can be used to scan for webshells and is available here

Microsoft also released a PowerShell script called Test-ProxyLogon.ps1 that can be used to search for indicators of compromise (IOC) related to these attacks in Exchange and OWA log files.

Microsoft has released a script to analyze Exchange files and compare known-good hashes against what is currently installed and is available here

Recommended Actions and Response:

Patch Microsoft Exchange servers using both windows update to install the most recent Cumulative Update (CU) and Update Rollup (RU). There is also a standalone tool available for machines incapable of running windows update available from Microsoft Download Center. Additionally, there is a known issue where the installer for the standalone tools fails to run properly when it is run under the context of a non-administrative user but fails to display an error message stating so. In this use case it will appear to patch the issue but will in fact fail to do so. If applying the updates manually it should be done so by downloading the executable from Microsoft and right-clicking it and selecting to run as an administrator. This should of course be done while running under the context of an account with administrative rights to the Exchange Server. Additionally, use the tools listed in the detection section above to ensure no webshells were uploaded to the exchange server.

Finally, Atlas Cybersecurity offers several affordable Managed Detection and Response plans that can help not only secure your organization against attacks like the one mentioned above but also provide you with valuable insights into possible vulnerabilities on your vessel that could exploited by attackers. With Atlas in your corner, you can have the peace of mind knowing that your network is being watched by leading industry security experts around the clock who will alert you to attempted compromises as they happen and help you to mitigate security issues before they become problems.

Share this: