• India
  • Contact@SecureGlobeConsulting.com
  • Office Hours: 7:00 AM – 10:00 PM

Mitigate Microsoft Exchange Server Vulnerabilities

Microsoft newly discloses and mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019.

Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server:

  • CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
  • CVE-2021-26857CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.  
    • CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
    • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server.

It is possible for an attacker, once authenticated to the Exchange server, to gain access to the Active Directory environment and download the Active Directory Database.

Microsoft Security Intelligence has released a tweet on Dearcry ransomware being used to exploit compromised on-premises Exchange Servers. Ransomware infections can have negative consequences to an affected organization, including:

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

Tactics, Techniques and Procedures

Microsoft has released a script that scans Exchange log files for IOCs. CISA strongly encourages organizations to run the Test-ProxyLogon.ps1 script—as soon as possible—to help determine whether their systems are compromised.

Microsoft has released the Exchange On-premises Mitigation Tool (EOMT.ps1) that can automate portions of both the detection and patching process. Microsoft stated the following along with the release: “[the tool is intended] to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.” Review the EOMT.ps1 blog post for directions on using the tool.

CISA recommends investigating for signs of a compromise from at least January 1, 2021 through present.

CISA has identified 10 webshells associated with this activity. This is not an all-inclusive list of webshells that are being leveraged by actors. CISA recommends organizations review the following MARs for detailed analysis of the 10 webshells, along with TTPs and IOCs. These MARs include CISA-developed YARA rules to help network defenders detect associated malware.

  1. AR21-072A
  2. AR21-072B
  3. AR21-072C
  4. AR21-072D
  5. AR21-072E
  6. AR21-072F
  7. AR21-072G
  8. AR21-084A
  9. AR21-084B
  10. AR21-102A

A webshell is a script that can be uploaded to a compromised Microsoft Exchange Server to enable remote administration of the machine. Webshells are utilized for the following purposes:

  • To harvest and exfiltrate sensitive data and credentials;
  • To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims;
  • To use as a relay point to issue commands to hosts inside the network without direct internet access;
  • To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence.

It has observed the following files as targets of HTTP POST requests:

  • /owa/auth/Current/themes/resources/logon.css
  • /owa/auth/Current/themes/resources/owafont_ja.css
  • /owa/auth/Current/themes/resources/lgnbotl.gif
  • /owa/auth/Current/themes/resources/owafont_ko.css
  • /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
  • /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
  • /owa/auth/Current/themes/resources/lgnbotl.gif

Administrators should search the ECP server logs for the following string (or something similar):

S:CMD=Set-OabVirtualDirectory.ExternalUrl=’

The logs can be found at <exchange install path>\Logging\ECP\Server\.

To determine possible webshell activity, administrators should search for aspx files in the following paths:

  • \inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
  • \<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
  • \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
  • \<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\ (any aspx file in this folder or subfolders)
  • \<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\ (any aspx file in this folder or subfolders)

Administrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents. These agents may be useful for incident responders to look at to determine if further investigation is necessary.

These should not be taken as definitive IOCs:

  • DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)
  • facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)
  • Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)
  • Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)
  • Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html
  • Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
  • Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)
  • Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)
  • Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36

It is observed these user-agents in conjunction with exploitation to /ecp/ URLs:

  • ExchangeServicesClient/0.0.0.0
  • python-requests/2.19.1
  • python-requests/2.25.1

These user-agents were also observed having connections to post-exploitation web-shell access:

  • antSword/v2.1
  • Googlebot/2.1+(+http://www.googlebot.com/bot.html)
  • Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)

As with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange Servers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as definitive IOCs:

  • POST /owa/auth/Current/
  • POST /ecp/default.flt
  • POST /ecp/main.css
  • POST /ecp/<single char>.js

It has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly:

  • 103.77.192[.]219
  • 104.140.114[.]110
  • 104.250.191[.]110
  • 108.61.246[.]56
  • 149.28.14[.]163
  • 157.230.221[.]198
  • 167.99.168[.]251
  • 185.250.151[.]72
  • 192.81.208[.]169
  • 203.160.69[.]66
  • 211.56.98[.]146
  • 5.254.43[.]18
  • 5.2.69[.]14
  • 80.92.205[.]81
  • 91.192.103[.]43

A list of webshell hashes have also been provided by Microsoft:

  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Note: this is not an all-inclusive list of indicators of compromise and threat actors have been known to use short-term leased IP addresses that change very frequently.

Mitigations

CISA strongly recommends organizations read Microsoft’s advisory and security blog post for more information on how to look for this malicious activity and to apply critical patches as soon as possible.

CISA is aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers. This particular type of attack is scriptable, allowing attackers to easily exploit vulnerabilities through automated mechanisms. It has been advised all entities to patch as soon as possible to avoid being compromised.  

From Microsoft, the security updates are available for the following operating systems:

  • Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
  • Exchange Server 2013 (update requires CU 23)
  • Exchange Server 2016 (update requires CU 19 or CU 18)
  • Exchange Server 2019 (update requires CU 8 or CU 7)

If you are running an older CU then what the patch will accept, you must upgrade to at least the required CU as stated above then apply the patch. 

All patches must be applied using administrator privileges.
 

If patching is not an immediate option, CISA strongly recommends following alternative mitigations found in Microsoft’s blog on Exchange Server Vulnerabilities Mitigations. However, these options should only be used as a temporary solution, not a replacement for patching. Additionally, there are other mitigation options available. CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following:

  • Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
  • Block external access to on-premises Exchange:
    • Restrict external access to OWA URL: /owa/
    • Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/.
  • Disconnect vulnerable Exchange servers from the internet until a patch can be applied.
Tags
Previous Post
Top Routinely Exploited Vulnerabilities
 Next Post
Exploitation of Pulse Connect Secure Vulnerabilities

Leave a Comment