Introduction to the case
Our investigation focused on an email server running Microsoft Exchange version 2019.
At the time of our analysis in March 2021, a U.S. government agency had scanned the client's Exchange server and identified a file that matched a signature for the attack framework, Cobalt Strike. Given a copy of the virtual hard drive providing a snapshot of the system taken on 2021-03-12, we were informed that the security patches had not yet been applied. The mail server was therefore vulnerable to the ProxyLogon attack.
Overview of the ProxyLogon attack
Prior to analysis, we sought to understand the sequence of events involved in this attack. As with all publicly-disclosed computer vulnerabilities, a common vulnerabilities and exposure (CVE) ID number was given to each of the four security flaws.
To begin our investigation, we manually checked directories that Microsoft has identified as common destinations for web shell installation as reported by Microsoft.
During this initial check, we identified and isolated three Active Server Page Extended (APSX) files on the server, which had been modified between 2021-03-03 and 2021-03-05: supp0rt.aspx; OutlookEN.aspx; and RedirSuiteServerProxy.aspx. The modification dates of these files was of particular interest, as Microsoft’s public disclosure of the vulnerabilities on 2021-03-02 led to their widespread exploitation.
With evidence suggesting that web shells had been installed, we used recently released Microsoft mitigation and remediation tools to confirm our findings. We used one of the PowerShell scripts provided by Microsoft, Test-ProxyLogon, to identify additional indicators of compromise on the Exchange server.
The Test-ProxyLogon script collects logs for each CVE and provides evidence of exploitation of the four vulnerabilities, as shown below.
Two of the four vulnerabilities were being exploited on the Exchange server (CVE-2021-27065 and CVE-2021-26855), suggesting successful authentication to the server and a dropped web shell or payload onto the system.
We ran the antimalware tool, Microsoft Support Emergency Response Tool (MSERT), recently updated with signatures to detect web shells on vulnerable Exchange servers. This tool automatically deletes any web shells or other payloads detected by default; however, the command line argument ‘msert.exe /N /F’ performs a full scan without any remediation, allowing us to preserve evidence.
The output for the MSERT tool was stored in a log file located in the path C:\Windows\Debug\msert.log.
The tool identified two additional suspicious dynamic-link library files, ‘App_Web_yroudy35.dll’ and ‘App_Web_deuxc2qd.dll’, along with the .aspx files discussed previously. We reviewed the five files for web shell code with a particular focus on Exchange Offline Address Book (OAB) configuration files. The ExternalUrl field matched a signature for the China Chopper web shell in two of these files, pointing to successful exploitation of the vulnerability CVE-2021-26858 and/or CVE-2021-27065, as the script shows below.
Finally, we sought to determine whether CVE-2021-26857 had been exploited and to identify any post-exploitation activity.
We reviewed files written to the Exchange server by two processes, UMWorkerProcess.exe, associated with Microsoft Exchange Server’s Unified Messaging service and w3wp.exe, the IIS web server worker process. Threat actors have commonly used both of these processes to drop web shells and additional payloads on the Exchange server. The review ensures that any suspicious files not caught by the scripts and our investigation are found.
Reports of similar attacks indicated threat actors attempted to delete the administrator user from the Exchange administrators group. We found no evidence of the command ‘net group "Exchange Organization administrators" administrator /del /domain’ being run against the Exchange server to suggest this activity.
Our investigation concluded that a threat actor (or group of actors) gained unauthorised access to the Exchange server, dropping five web shells on the system between 2021-03-03 and 2021-03-05. The presence of these files on the system indicated that the first two stages of the ProxyLogon attack chain were successfully exploited.
The publicly available proof of concept code for the initial stages of attacks facilitated execution by not only sophisticated state-sponsored threat groups but also less skilled adversaries. Although the threat actors were able to drop web shells onto the Exchange server, we found no indicators to suggest exploitation of the more challenging third stage of the attack for post-exploitation activity.
Many organisations responded to the Hafnium-related vulnerabilities by patching their systems and checking for any signs of suspicious activity. The FBI took the decision to proactively remove web shells from private Exchange servers. But as of May 2021, it is estimated that approximately 6% of Exchange servers have yet to be patched and are therefore still vulnerable to the ProxyLogon attack chain.
Find out more
If you are currently experiencing a cyber attack, please request emergency assistance immediately.
To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.
Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.
Other recent insights