Last Updated April 2, 2021

US-CERT.CISA

Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on active exploitation of vulnerabilities in Microsoft Exchange Server products which are used by Hafnium-attack-group and China Chopper Web Shell attacks, and other Advanced Persistence Threats.

Description

Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.

Determined Impact

  • Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system.
  • Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. 

Why it is Critical?

After successful exploitation activities, Attackers can gain access to email accounts and install additional malware/ scanning tools to remain persisted on the network.

Affected Components

  • On-premises versions of Microsoft Exchange Servers primarily on Microsoft Exchange Server 2013, 2016, 2019.

Note: Exchange Online is not affected.

CVE Details

  • CVE-2021-26855 allows Unauthenticated attacker to send arbitrary HTTP requests.

The following CVEs allow for remote code execution.

Exploit Tools used by HAFNIUM Group/China chopper variants

Required Actions

If any exploit attempts are observed with lateral movement activities, Netsurion’s EventTracker SOC recommends the following actions.

  • Microsoft has released a new one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool, to help customers apply security updates, who do not have dedicated security or IT teams.
  • SOC recommends updating on-premises systems immediately. (Reference: Microsoft Security Response Center).
  • Validate whether any unknown tasks and services are existing on the Exchange server and disable the unknown tasks, then run a complete anti-malware scan with the updated signature.
  • Validate and remove unknown .aspx, .bat and unknown executable files from the following paths and restore the files from an uninfected backup file:
    • C:\Exchange\FrontEnd\HttpProxy\owa\auth\
    • C:\inetpub\wwwroot\aspnet_client\
    • C:\inetpub\wwwroot\aspnet_client\system_web\
  • Initiate global password reset operation for exchange accounts if any unauthorized file access observed for Lsass.exe, lsass.dmp and ntds.dit.
  • Kindly ensure that the strong password policy is in place.
  • Ensure that Multi-Factor Authentication (MFA) is enabled for Exchange account logins.
  • Remove unwanted applications from the server.
  • Upgrade Operating Systems to the latest version.
  • Run vulnerability scans on the host and patch all critical vulnerabilities.
  • Ensure that the regular backup operation and proper network segmentation is in place for public-facing servers.

Recommended mitigation steps by CISA:

  • Microsoft strongly urges customers to update on-premises systems immediately. The latest version is available on Microsoft Security Response Center.
    • Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense-in-Depth update)
    • Exchange Server 2013 (update requires CU 23)
    • Exchange Server 2016 (update requires CU 19 or CU 18)
    • Exchange Server 2019 (update requires CU 8 or CU 7)
  • (Updated March 4, 2021): If you are running an older CU than what the patch will accept, you must upgrade to at least the required CU as stated above, then apply the patch. 
  • (Updated March 4, 2021): All patches must be applied using administrator privileges.
  • Restrict untrusted connections to port 443 or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
  • Block external access to on-premises Exchange.
  • Restrict external access to OWA URL:/owa/
  • Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL:/ecp/.

(Updated March 4, 2021): Disconnect vulnerable Exchange servers from the internet until a patch can be applied.

Detection Mechanism (If patches not applied)

Existing P1 Alerts:

  • EventTracker: Exploit Attempt Detected will be triggered while net user command used for copying user details to remote files/folders or lsass.dmp file accessed through sys internal tools.
  • EventTracker: Active Directory Enumeration Attempt Detected will be triggered when active directory enumeration related tool or command executions observed.
  • EventTracker: Bad Hash Detected will be triggered when a known exploit tool/executable file with VirusTotal reputation score of five (5) and above.
  • PowerShell running suspicious commands will be triggered if any encoded commands or download strings are observed.
  • EventTracker: Suspicious Exploit tool detected helps in identifying known exploit tools.
  • EventTracker EDR: New product or signer is detected will be triggered when a new product or signer detected during the first time launch of malicious tools.
  • EventTracker: A process has been terminated by EventTracker will be triggered when an identified bad Hash component launch stopped by EventTracker agent based on the unsafe list.
  • EventTracker: A process connected to an unsafe IP will be triggered when a connection observed to unsafe IP addresses which are known to be involved in Command-and-Control server.

Monitoring Plans: Alert Monitoring, Saved Searches and Dashboards:

Alert Monitoring

  • Saved Searches/Dashboards has been created to identify the known patterns discovered with Recent Exchange server exploits.

Indicators of Compromise

  • EventTracker Threat Center has been updated with Identified Bad MD5 Hash Values and IP addresses to detect the IP address communication and terminate process launches based on the unsafe list.
IOC Type Value
MD5 4b3039cf227c611c45d2242d1228a121
2C79376B314535CEC6EB026E76FB7BCE
9b02dd2a1a15e94922be3f85129083ac
e438712e336982548b884cbfbfee6c9e
8aea2ae91cc084731a08aa231e79a430
7a6c605af4b85954f62f35d648d532bf
c2d8c7a741b68b227281e391f8f6f7d2
79eb217578bed4c250803bd573b10151
cdda3913408c4c46a6c575421485fa5b
0e55ead3b8fd305d9a54f78c7b56741a
c6eeb14485d93f4e30fb79f3a57518fc
f2e22df5e284587dc36f8041129af391
aef2ae9b36989bab8818696de5ccd5e7
e912f273e629bf974a29213b6427d02b
4ef04cba6bec2c3a164b9b755efbeb1c
fe15fc6341baad2a111462854f96a2bc
5544ba9ad1b56101b5d52b5270421d4a
12011c44955fd6631113f68a99447515
263b49414c6ff7ef241483e56ba3f9fd
42097da8cfcaa155d2428f1e4798ceaf
045c9b751db2ab01ff0ebece76804e78
d6a82b866f7f9e1e01bf89c3da106d9d
8af476e24db8d3cd76b2d8d3d889bb5c
74b1fe8003e43195458bcacb0ceff5ec
36f0f5c88e6f16d95ffbf471d6c7a03e
9c7268ff2834d14688386c89385bbc8b
39d0ad83e254ed1a7eade133a00a5264
37ce783abd979851f35314d050978a22
ad3cad7d9bcb68d35484eb63a0b4c928
27a79d5d4263c400767ece37dbda2687
ef4681593128987f357e2c2d1e91230a
e3af60f483774014c43a7617c44d05e7
98E445AB15F91DCBAAEFF3AF517F1842
819B97326C40F0677C63492451C9B9DD
354B3C8A54BA3B23C6B899BF5830D777
5CFA1868F0112B1F413CCD527F08EACF
217B7244D8AC1D7604B0848A9A283945
DA4A376F5F0E771E7AC01AD42FFAFBD0
7EEE73ECAB40ACDE73FE763FB1D79658
817A6ED8578403B1E56C75D41BDC4881
C528278654422CB7339DBF9BFC19397A
f8b604ca7aa304a479f2461d1b74e795
96c2f4acef5807b54ded4e0dae6ed79d
aa2efe290df3c38c26c70b1f40f69812
faa5f4def7e037324f5f87239ddead2d
a5f6b6e95ef8a26081259813ca18e17b
20e8e55625f68ed42a793d76d359a858
IP Address 103.77.192.219
104.140.114.110
104.250.191.110
108.61.246.56
149.28.14.163
157.230.221.198
167.99.168.251
185.250.151.72
192.81.208.169
203.160.69.66
211.56.98.146
5.254.43.18
80.92.205.81
165.232.154.116
161.35.45.41
45.77.252.175
5.2.69.14
91.192.103.43
188.166.162.201
86.105.18.116
89.34.111.11
154.83.16.122
43.254.216.136
45.133.119.141
45.249.244.118
94.177.123.16
152.32.174.110
1.36.203.86
1.65.152.106
1.9.2.18
103.135.248.70
103.212.223.210
104.225.219.16
108.172.93.199
108.61.171.184
110.36.235.230
110.36.238.2
110.39.189.202
112.168.90.84
113.173.3.225
114.205.37.150
116.49.101.143
117.146.53.162
119.197.26.38
119.231.129.222
121.174.31.220
121.176.145.25
122.213.178.102
123.16.231.247
124.5.24.161
128.90.21.223
139.59.56.239
161.35.76.1
167.179.67.3
170.10.228.74
172.105.87.139
179.1.65.54
182.165.53.4
182.18.152.105
185.171.166.188
185.173.235.172
185.173.235.54
185.224.83.137
185.65.134.165
185.65.134.170
198.50.168.176
200.52.177.138
201.17.196.211
201.208.18.226
202.182.118.99
209.58.163.131
211.177.182.80
213.219.235.158
218.39.251.104
219.100.37.239
219.100.37.243
219.78.205.63
23.95.80.191
31.182.197.163
31.28.31.132
39.123.17.120
45.154.2.94
46.101.232.43
46.23.196.21
46.244.29.17
49.36.47.211
5.189.162.164
5.2.69.13
58.190.46.175
61.82.150.49
78.188.104.84
78.189.225.136
89.147.119.227
90.230.190.92
121.154.50.51
58.126.135.235
URL Queries on IIS (IIS logging is must) /ecp/(Random string).js
/ecp/DDI/DDIService.svc/GetList
/owa/auth/logon.aspx
C:\inetpub\wwwroot\aspnet_client\ (random file name).aspx
C:\inetpub\wwwroot\aspnet_client\system_web\(random file name).aspx
C:\Exchange\FrontEnd\HttpProxy\owa\auth\(random file name).aspx
web.aspx
help.aspx
document.aspx
errorEEE.aspx
errorEW.aspx
healthcheck.aspx
aspnet_www.aspx
aspnet_client.aspx
xx.aspx
shell.aspx
aspnet_iisstart.aspx
one.aspx
/owa/auth/errorEE.aspx
/owa/auth/errorFE.aspx
/aspnet_client/aa.aspx
hackIdIO.aspx
ckPassPL.aspx
chackLogsPL.aspx
healthcheck.htm
antSword/v2.1 (User agent)
DuckDuckBot/1.0 (User agent)
ExchangeServicesClient/0.0.0.0 (User agent)
Process Command Lines cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&id&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&whoami&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&quser&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&netstat -anop tcp | grep LISTEN*&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&net use * /delete /y&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&xcopy \\shared path\ c:\windows\temp\doc\ /S /Y&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&rmdir c:\windows\temp\doc&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&del /f /s /q c:\windows\temp\x.rar&echo [S]&cd&echo [E]
c:\Windows\debug\\7za.exe  -admin@files a c:\Windows\debug\\n.7z c:\Windows\debug\\system c:\Windows\debug\\ntds.dit
C:\Windows\system32\cmd.exe  /K c:\windows\debug\(Random single letter).bat
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&C:\windows\temp\ps.exe -accepteula -ma lsass.exe C:\windows\temp\lsass
C:\Windows\system32\cmd.exe  /K c:\windows\debug\(Random single letter).bat
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&taskkill /f /im ncat.exe&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&del /f /s /q c:\windows\temp\p3.exe&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&tasklist&echo [S]&cd&echo [E]
cmd /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&systeminfo&echo [S]&cd&echo [E]
"cmd" /c cd /d "C:\inetpub\wwwroot\aspnet_client\system_web\"&C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\lsass.dmp&echo [S]&cd&echo [E]

Contact us

EventTracker SOC | EventTracker Enterprise SOC
Group Email : soc@netsurion.com
T: 877-333-1433 Extn - 3803 (OR) 1- 410-953-6776 Option 2 or Dial Extn – 3803

About Netsurion

Flexibility and security within the IT environment are two of the most important factors driving business today. Netsurion’s managed cybersecurity platforms enable companies to deliver on both.

Netsurion Managed Threat Protection combines our ISO-certified security operations center (SOC) with our own award-winning cybersecurity platform to better predict, prevent, detect, and respond to threats against your business. Netsurion Secure Edge Networking delivers our purpose-built edge networking platform with flexible managed services to multi-location businesses the need optimized network security, agility, resilience, and compliance for all branch locations.

Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has the model to help drive your business forward. To learn more visit netsurion.com or follow us on Twitter or LinkedIn. Netsurion is #19 among MSSP Alert’s 2020 Top 250 MSSPs.

Reference Details: