Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit

#103
UNSOLVED
Topic created · 1 Posts · 65 Views
  • Update #3 - 08/21/2021 @ 6:48am ET - Included graph of unpatched servers and LockBit ransomware

    Update #2 - 08/21/2021 @ 2:03am ET - Included five distinct webshell payloads
    Update #1 - 08/21/2021 @ 1:19am ET - Included clarification on ProxyShell vs. ProxyLogon

    Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year.

    Back in March of this year, we saw multiple zero-day exploits being used to attack on-premises Exchange servers—and it looks like we’re not out of the woods yet. Those who have not patched since April or May are not safe and could still be exploited.

    We recommend you update to the latest security patch, monitor for new indicators of compromise and stay up-to-date on new information as it is released. We will continue to update this post with new findings.

    Update #3 - 08/21/2021 @ 6:48am ET

    The pace of webshell activity slowed down a bit through the night but is still going. During this time, we built some simple analytics to highlight the patch levels

    Collaboration with industry security researchers Kevin Beaumont and Rich Warren have helped corroborate that the webshell and LockFile ransomware incidents we’re seeing within companies may be related:

    Image

    We’ll continue to keep the community updated as things progress.

    Update #2 - 08/21/2021 @ 2:03am ET

    In the month of August (not limited to the past 48hr surge), we've currently observed at least five distinct styles of webshells deployed to vulnerable Microsoft Exchange servers:

    1. XSL Transform (most common, over 130 occurrences)
    2. Encrypted Reflected Assembly Loader
    3. Comment Separation and Obfuscation of the "unsafe" Keyword
    4. JScript Base64 Encoding and Character Typecasting
    5. Arbitrary File Uploader

    Update #1 - 08/21/2021 @ 1:19am ET

    We've seen a number of questions about whether Exchange 2010 is vulnerable. As mentioned below, the ProxyShell exploit chains three separate vulnerabilities to get code execution.

    According to nist.gov's CVE entries linked above, Exchange 2010 is not affected by these. However, Exchange 2010 reached end of life back in October 2020 which means:

    "Microsoft will no longer [provide] security fixes for vulnerabilities that may make the server vulnerable to security breaches"

    We strongly advise against running an EOL'd 2010 server in 2021.

    What’s Happening?

    Hackers are exploiting vulnerabilities in Microsoft Exchange, dubbed ProxyShell, to install a backdoor for later access and post-exploitation. This ProxyShell attack uses three chained Exchange vulnerabilities to perform unauthenticated remote code execution.

    • CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.
    • CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
    • CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of system and write arbitrary files.

    Huntress is seeing attackers actively exploiting these vulnerabilities against vulnerable Exchange servers. Our team has sent over 100 incident reports related to this exploit in the last two days, August 17 and 18.

    What Should You Do?

    It is imperative that you update your Exchange servers to the latest released patches. At a minimum, please ensure that you have the July 2021 updates installed. You can view the installed hotfixes by running the command systeminfo in an administrative command prompt. The output in the “Hotfixes” section should include the Knowledge Base (KB) identifiers appropriate for your Exchange version, listed below.

    Here is a list of patch levels and appropriate hash for MSExchangeRPC service binary to indicate fully patched as of July 2021:

    • Exchange 2019 CU10 + KB5004780 = v15.2.922.13

    • 8a103fbf4b18871c1378ef2689f0bdf062336d7e02a5f149132cdbd6121d4781

    • Exchange 2019 CU9 + KB5004780 = v15.2.858.15

    • c5c88f5b013711060bcf4392caebbc3996936b49c4a9b2053169d521f82010aa

    • Exchange 2016 CU21 + KB5004779 = v15.1.2308.14

    • 9f7f12011436c0bbf3aced5a9f0be8fc7795a00d0395bfd91ff76164e61f918d

    • Exchange 2016 CU20 + KB5004779 = v15.1.2242.12

    • ab767de6193c3f6dff680ab13180d33d21d67597e15362c09caf64eb8dfa2498

    • Exchange 2013 CU23 + KB5004778 = v15.0.1497.23

    • 20659e56c780cc96b4bca5e4bf48c812898c88cf134a84ac34033e41deee46e9

    Indicators of Compromise

    So far, Huntress has found webshells written in subdirectories within the Exchange installation path. Typically, these files have a random filename, while some are human readable.

    Below is a short snippet of webshells we have discovered:

    C:\inetpub\wwwroot\aspnet_client\HWTJQDMFVMPOON.aspx
    

    Note that these are not pure ASPX files. Examining the magic bytes and file header will explain this is instead a Microsoft Outlook email folder.

    Upon further inspection of this file (with simple strings or viewing in a hex editor), you will find valid code that may often execute code with an eval statement or allow further uploading of files.

    Further Reading and Resources

    This attack chain was presented at Black Hat USA ‘21 in Orange Tsai’s presentation, “ProxyLogon is Just the Tip of the Iceberg.” For a detailed explanation on the attack chain, see:

    Orange Tsai had also provided a text-based writeup of the attack chain for the Zero Day Initiative following the Pwn2Own contest, which you can find here.

Log in to reply