Tune into our first episode of Tool Talk: a how-to series for hackers. REGISTER ›

ProxyLogon (CVE-2021-26855): 2021’s Top Contender for Vulnerability for the Year (It’s March...)

Rapid Response Blog - Bishop Fox Team Responds to Security News

Share

It is difficult to overstate the severity and reach of the latest group of vulnerabilities disclosed in on-premise Microsoft Exchange servers earlier this month. Exploitation of these 0-day vulnerabilities has been detected world-wide and defenders are actively patching, mitigating and most importantly, conducting incident response to understand the depth of their potential compromise.

The latest attack on Microsoft Exchange servers encompasses several unique vulnerabilities in an attack chain. The impact is critical due to the plethora of private/confidential communications in corporate email systems as well as the abundance of vulnerable servers on the internet. Unauthenticated exploitation lowers the barrier to entry for an attacker that is able to communicate with the vulnerable exchange servers. To be clear, the four vulnerabilities listed below affect Microsoft Exchange Server, while Exchange Online is unaffected.

WHO'S AFFECTED?

The scale of the attack is the biggest concern at this time. Over 30,000 organizations across the United States, from government institutions and large corporations to local small businesses, have been attacked. Microsoft initially tied the attack to a single threat actor, which they named Hafnium, but have since reported multiple threat actors leveraging these vulnerabilities. The attackers focus on gaining remote code execution (RCE), stealing email from victim organizations, and leaving behind common web shells for persistent access. The attack is unique because it targets several zero-day vulnerabilities. Because attackers were able to exploit a previously unknown vulnerability, any on premise Microsoft OWA servers exposed to the internet should be assumed compromised. Upon successful exploitation and establishment of persistence, the threat actor could gain further control over other assets in the network. Due to the nature of this attack, mitigation strategies may not fully remove any access already obtained and additional incident response should follow.

There are conflicting numbers of affected servers being reported, but telemetry from Palo Alto Networks indicates over 125K Exchange servers remain unpatched across the world. These vulnerabilities also affect a wide range of server versions and present enough risk that Microsoft has released patches for older servers that are no longer supported.

  • Exchange 2010: Version 14.3.496.0 and below
  • Exchange 2013: Any version below 15.0.1497.2 (not inclusive)
  • Exchange 2016: Any version below 15.1.2106.2 (not inclusive)
  • Exchange 2019: Any version below 15.2.721.2 (not inclusive)

WHAT'S THE WORST THAT CAN HAPPEN?

Successful exploitation results in attackers gaining sensitive information in the internal network and may allow them to download user email and possibly gain full RCE on the mail server. With email access, the attackers can redirect email to release sensitive information outside an organization. Attackers will often leave web shells behind for persistent access. They can leverage this level of access to pivot deeper into the network with opportunities to attack an organization’s Domain Controllers and other high value services.

Defenders should quickly apply patches and conduct thorough incident response. To guard against future threats, they should continuously monitor their exchange servers for the creation of new aspx files that may be web shells or indicators of compromise, remotely log all powershell activity and review those logs on a regular cadence. With reports that web shells are being accessed after a patch has been installed, defenders must ensure all non-standard aspx pages are examined for malicious intent.

Microsoft has made the following tools available for defenders responding to this immediate threat.


Barrett darnell

About the author, Barrett Darnell

Bishop Fox Alumnus

Barrett Darnell was a Senior Operator at Bishop Fox and a technical lead for the Continuous Attack Surface Testing (COSMOS) Managed Security Service. Prior to coming to Bishop Fox, he served as an exploitation operator in the US Department of Defense's most elite computer network exploitation (CNE) unit. As a top-rated military officer, Barrett led an offensive operations team in the US Air Force's premier selectively-manned cyber attack squadron. Barrett also teaches SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking to a worldwide audience. Barrett holds a Bachelor of Science in Computer Science from Washington State University and a Master of Science in Software Engineering from the University of West Florida.

More by Barrett

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.