Zero day vulnerabilities in Microsoft Exchange server have had a widespread impact in March 2021. The attacks were initially attributed to the Hafnium group but now multiple threat actors are leveraging these vulnerabilities. Recently, four new Exchange server vulnerabilities were revealed by NSA and MSRC.
In March 2021, one vulnerability (CVE-2021–26855) allowed the attackers to breach Exchange servers using server cookies and get unauthorized access to server data.
Two new vulnerabilities — CVE-2021–28480, CVE-2021–28481 — are on similar lines i.e. these pre-authentication vulnerabilities allow attackers unauthorized access.
CVE-2021–26857 was a separate vulnerability leveraged by attackers for Remote Code Execution(RCE). The attack exploits a .NET deserialization vulnerability in Exchange Unified Messaging service. Although Unified Messaging service is an optional service, their use in larger organizations may not be uncommon for unified experience of voicemail and email services.
CVE-2021–26858 and CVE-2021–27065 — discovered in March — can be used in conjunction for arbitrary file writes on the Exchange server file system.
Newer vulnerabilities CVE-2021–28482 and CVE-2021–28483 are similar in the sense that both require authenticated access and could lead to RCE attacks.
Post exploitation behaviors known so far include dropping webshells and/or ransomware binaries.
There is a lot of coverage for the CVEs revealed in March 2021. MSRC has done a phenomenal job of creating and sharing the discovery, mitigation scripts and IoCs. However, there is no proof yet of new vulnerabilities being exploited in the wild or a Proof of Concept disclosed for the same.
The Recurrence Challenge
Exchange server exposes multiple web services which might have more vulnerabilities. Determined threat actors can identify and will likely continue to target Exchange servers.
Most services on Exchange server are implemented in .NET. Attackers have found and targeted several .NET deserialization vulnerabilities in recent years. The Exchange server vulnerability (CVE-2021–26857) was one such example. Note that, addressing current vulnerabilities in the Exchange server does not necessarily mean it will not be susceptible to more deserialization attacks via other .NET based services.
Smaller organizations typically cannot afford multiple servers for distributed Exchange deployments and will invariably expose all exchange services on one server. This means a single Exchange server vulnerability will allow attackers to breach and control multiple Exchange services.
Recently at Pwn2Own CTF 2021, more Exchange server vulnerabilities were discovered. This just attests to the fact more such attacks are bound to happen and it is just a matter of time. Considering the spread of exchange server attacks and possibilities of a new wave of attacks, it is safe to say “Assume Breach” is the only reliable approach to security.
There are certain techniques which are commonly seen after exploitation of Exchange server attacks. Following examples demonstrate detection of these essential attacker techniques.
An unexpected shell process is started by Exchange server processes followed by creation of an anomalous file (webshell).
2. A reverse shell is created via PowerShell.
3. Dumping of credentials from lsass.exe using commonly available dump utilities such as procdump.exe
4. Powercat downloaded and used to list connections. Subsequently, PowerShell could be used to add an exchange snap-in. The added snap-in allows attackers to collect user data for potential exfiltration.
The Right Solution
A security solution must go beyond EDR (Endpoint Detection and Response) and SIEM(Security Information and Event Management) to detect such stealthy, seemingly unrelated and temporally separated behaviors such as this Exchange server attack.
Detections spread across processes and hosts can send analysts on a wild goose chase. The exchange vulnerabilities went undetected for quite some time because the actions were seemingly unrelated. The right solution should stitch together actions such as webshell used for environment discovery, credential access and persistence.
Real time Detection
The Exchange server processes created webshell files which are accessed via IIS web server. A smart detection solution must correlate and escalate such actions in real time to elevate the urgency. A timely response from SoC teams can ensure the webshells are quarantined or removed before attackers can establish persistence.
Coverage across infrastructure and time
Attackers may very well drop the payloads and invoke them later. Ability to identify lateral movements is essential for assessing the breach.
Intent behind weak signals
Typical EDR detections or SIEM alerts fall short to put together a rationale. Individually inspected actions might even seem legible. A graph of actions built with user session information and relations among processes can make the intent obvious for a security analyst.
The Confluera platform is built with precisely these requirements in mind. The intent based graphs provide context and storyboarding for a chain of actions in real time. Above shown screenshots demonstrate this.
Threat groups are known to reverse engineer Microsoft patches and exploit the window between patch release and actual updates. So it goes without saying, patching the Exchange servers as soon as possible is must.
Use MSRC script to identify vulnerable exchange servers in your infrastructure and apply mitigations
The SSRF vulnerability allows attackers to steal contents of mailboxes. Impacted organizations should look for subsequent abuse of stolen data such as phishing emails to stolen contacts, ransom demands to stop disclosure of confidential data.
Post exploitation behavior typically includes dropping webshells and ransomware payloads. Organizations should scan their web server deployments for webshells, review their backup and disaster recovery strategy to avoid ransomware impact.