Threat actors are using a couple of dangerous, new tactics to exploit the so-called ProxyShell set of vulnerabilities in on-premises Exchange Servers that Microsoft patched earlier this year — and were the targets of widespread attacks in July.
In multiple recent incident response engagements, Mandiant researchers found attackers had abused ProxyShell to drop Web shells on vulnerable systems in a different — and more difficult to detect — manner than used in previous attacks. In some attacks, threat actors skipped Web shells entirely and instead created their own hidden, privileged mailboxes, giving them the ability to take over accounts and create other problems.
As many as 30,000 Internet-facing Exchange Servers remain vulnerable to these attacks because they have not been patched, Mandiant said.
ProxyShell is a set of three vulnerabilities in Exchange Server: CVE-2021-34473, a critical remote code execution vulnerability that requires no user action or privileges to exploit; CVE-2021-34523, a post-authentication elevation of privilege vulnerability; and CVE-2021-31207, a medium severity post-authentication flaw that gives attackers a way to gain administrative access on vulnerable systems. The vulnerabilities exist in multiple versions of Exchange Server 2013, 2016, and 2019.
Microsoft patched the flaws in April and May but did not assign CVEs or disclose the patches until July. In August, the US Cybersecurity and Infrastructure Security Agency (CISA) warned of attackers chaining together the three flaws to exploit vulnerable Exchange Servers.
Security vendors reported threat actors as exploiting the flaws mainly to deploy Web shells on Exchange Servers that they could use in future attacks. An analysis by Huntress Labs found the most common Web shell that attackers deployed was XSL Transform. Other common Web shells included Encrypted Reflected Assembly Loader, Comment Separation and Obfuscation of the "unsafe" Keyword, Jscript Base64 Encoding and Character Typecasting, and Arbitrary File Uploader.
Joshua Goddard, a consultant with Mandiant’s incident response team, says attackers that exploited ProxyShell initially dropped Web shells via mailbox export requests. "
Those Web shells could be used to remotely access Exchange servers and further compromise organizations, like deploying ransomware onto devices," he says.
But antivirus and endpoint detection and response (EDR) vendors were quick to build detections for Web shells created via mailbox export. That is likely what pushed attackers to look for new avenues for taking advantage of Exchange Server systems that are still unpatched against ProxyShell, Goddard says.
The tactic that attackers are now using is to export Web shells from the certificate store.
"Web shells created by this means do not have the same file structure as those created by mailbox export, so attackers have had some success with this since not all security tools have appropriate detections in place," Goddard notes.
Mandiant researchers also observed ProxyShell attacks where threat actors did not deploy Web shells but instead created highly privileged mailboxes that were hidden from the address list. They assigned these mailboxes with permissions to other accounts, then logged in via the Web client to browse or steal data.
"This is the most significant change in tactics," Goddard says. "Attackers are using ProxyShell vulnerabilities to achieve business email compromise [BEC] by interfacing with the Exchange services exclusively, instead of the operating systems hosting them," as is the case when dropping Web shells.
Attackers with this kind of access could potentially launch phishing attacks against other entities using the victim organization's email infrastructure, he warns. Since no malicious files are dropped to disk, it becomes more difficult for organizations to detect these attacks.
Spate of Exchange Server Flaws
Microsoft — and, by extension, its customers — has had its share of problems with Exchange Server flaws this year.
The most notable was in March, when the company had to rush out emergency patches for a set of four vulnerabilities in the technology, collectively referred to as ProxyLogon. The patches came after a Chinese threat group called Hafnium, and later others, were discovered actively exploiting the flaws in thousands of organizations. Concerns over the attacks were so high that a court authorized the FBI to take the unprecedented step of removing the Web shells that attackers had dropped on systems belonging to hundreds of US organizations — without notifying them first.
In September, researchers from Trend Micro reported finding ProxyToken, another Exchange Server flaw that gave attackers a way to copy targeted emails or forward them to an attacker-controlled account. Through the year, Microsoft has disclosed other Exchange Server vulnerabilities of varying severity, including a zero-day threat (CVE-2021-42321) that the company addressed in its November security update.
Goddard says at least some of the 30,000 systems that show up as vulnerable to ProxyShell are likely honeypots; however, a large number are not.
"Organizations that patched early may be safe, but organizations that haven’t patched yet and have their servers Internet-facing are at significant risk," he warns.
Organizations that were unpatched for any amount of time since the vulnerabilities were disclosed should conduct a review into any unknown files on the servers, mailbox accounts, and mailbox permissions, he says.
"Organizations need to detect and validate newly created files outside of change windows and have visibility on configuration changes to their Exchange infrastructure, which should be linked to defined change requests," Goddard says.