Exchange Exploitation: Not Dead Yet

The mass exploitation of Exchange Servers has been a wake-up call, and it will take all parties playing in concert for the industry to react, respond, and recover.

John Hammond, Senior Security Researcher, Huntress

May 10, 2021

5 Min Read

"March Madness" is a jovial nickname for the third month of the year — but in 2021, the cybersecurity industry felt the brunt of March madness for a reason other than basketball: mass exploitation of Microsoft Exchange Servers. Almost two months later, we're still living in the aftermath of this widespread incident.

On March 1, Huntress learned about new vulnerabilities that would offer an unauthorized actor full control of a Microsoft Exchange server. These vulnerabilities were not yet disclosed, but enterprise organizations and small- to medium-sized businesses were already being exploited. On March 2, Microsoft released its first security advisory, warning companies about these dangerous vulnerabilities. Unfortunately, it seemed Microsoft's initial announcement missed the mark.

What became dubbed as "Exchange Marauder," Microsoft originally described as "limited and targeted [in scope]," yet practically every version of Exchange was vulnerable, and these servers are publicly facing on the open Internet. While cloud servers were not affected and only on-premises installations of Exchange were susceptible to this attack, soon more than 30,000 organizations in the US alone were known to be affected.

Some experts say attacks using these vulnerabilities began as early as January 6. A successful exploit chained together multiple vulnerabilities to eventually gain remote code execution (RCE) on the target host by dropping a "Web shell" in a publicly accessible location. These Web shells were unique files that would process and evaluate code on the server itself and allow anyone who knew the specific key or parameter to run commands and fully control the machine as an administrative user.

The early days of the month were filled with chaos and uncertainty. It was difficult to determine if the initial patches that Microsoft released were in effect, and if there was presence of any Web shell, you were already compromised, and the patch wouldn't help. The cybersecurity industry got scrappy: We were notifying individuals through Reddit, doing threat hunting and intelligence on Twitter, sharing indicators of compromise on GitHub and Pastebin ... whatever was the fastest method to disseminate information.

While the industry was screaming from the rooftops to patch, patch, patch, we also wanted to contribute to the threat intelligence and help inform organizations of potential indicators of compromise (IoCs). The most blatant IoC is a Web shell itself. These Web shells follow the structure of a "China Chopper," a nickname given to a style of simple, minimalist syntax to run a command supplied as part of the Web request.

These have typically been found in the C:\inetpub\wwwroot\aspnet_client directory or subdirectories, with unfamiliar or random filenames and a .aspx extension. (We have seen a large amount of variations to these Web shells and have been archiving them here.)

Initially, these Web shells seemed to slip past most every antivirus (AV), endpoint detection and response (EDR), or preventive security solution.


An excerpt of our inventoried Web shells, indicating the filename, when it was modified, and preventive security software installed on the host. The timestamps indicated in red are our earliest identified compromise, days before the initial reporting from Microsoft. Credit: Huntress

Prevention is hard. Now, just about every AV and EDR product will get ahead of this. It does show, however, that this small, simple syntax slipped by and shook up the industry.

After the Web shell is in place and the threat actors have gained access, the question becomes "what will they do next?" What becomes of these targets and victims after the compromise? While the hackers have complete administrative access, they could drop ransomware, farm this machine into a botnet, deface the victim's websites, steal and sell data … anything they would like.

We have since seen indicators of ransomware targeting these compromised Exchange Servers dubbed "DearCry." DearCry uses both AES and RSA cryptography and leaves files encrypted with a "DEARCRY!" header at the top of the file contents.

More often than ransomware, surprisingly, is evidence of cryptocurrency miners. An old family of cryptomining malware, "LemonDuck," has reemerged.

LemonDuck hides through multiple obfuscated payloads but uses RSA to validate each stage. While there are many domains and IoCs associated with LemonDuck, the most frequent that Huntress has seen as recently as March has been the http[:]//t[.]zker9[.]com and http[:]//t[.]zz3r0[.]com domains.

A persistent foothold of LemonDuck uses PowerShell to download another stager, validating it with RSA.

A clever trick that stagers like this use is appending the current date or time as a variable when requesting data from an external server. This gets around HTTP caching and ensures the content that is received is always the latest copy.

The downloaded code is then executed with "fileless malware" techniques using the IEX syntax, a PowerShell alias for "Invoke-Expression" that evaluates code on the fly. The next layer of code it pulls down runs yet another stager in memory, which is obfuscated by using reversed strings. All of these techniques are attempts for this malware to remain undetected by automated solutions or AV/EDR products.

After six stages of obfuscation, we see the raw source code of this LemonDuck malware written in PowerShell. It checks the architecture of the victim, detects the processor type, and downloads the appropriate mining software. LemonDuck installs its own persistence so it can continue to run on reboot and throttles the computer's resources to earn more money for the attacker.

Unfortunately, around 6% of Exchange Servers today have not been patched and are still vulnerable. These exploits can result in a full domain compromise and cannot be taken lightly.

Microsoft has released its April Security Update, disclosing even more critical vulnerabilities against Exchange. Allegedly, these vulnerabilities have been exploited in the wild, but the impetus to patch should be the same as in March. Two of these new vulnerabilities don't require authentication and can be triggered without user interaction, ultimately gaining the attacker RCE. These vulnerabilities are grave and should not be neglected. Threat hunters and security researchers will continue to monitor for any IoCs and share new information as it is released.

We cannot rely on automated solutions alone. Automation is divine, but manual analysis and human investigation are musts. China Chopper Web shells slid under the radar, post-access malware and Trojans continue to bypass defenses with clever obfuscation and evasion techniques — and this research requires context and expertise from security practitioners. While the mass exploitation of Exchange Servers has been a wake-up call, it takes all parties playing in concert for the industry to react, respond, and recover.

About the Author(s)

John Hammond

Senior Security Researcher, Huntress

John Hammond is a Security Researcher at Huntress as well as a cybersecurity instructor, developer, red teamer, and CTF enthusiast. John is a former Department of Defense Cyber Training Academy curriculum developer and teacher for the Cyber Threat Emulation course, educating both civilian and military members on offensive Python, PowerShell, other scripting languages and the adversarial mindset. He personally developed training material and infosec challenges for events such as PicoCTF and the "Capture the Packet" competition at DEFCON US. John speaks at security conferences such as BsidesNoVA, to students at colleges such as the University of North Carolina Greensboro, and other events like the SANS Holiday Hack Challenge/KringleCon. He is an online YouTube personality showcasing programming tutorials, cyber security guides, and CTF video walkthroughs. John currently holds the following certifications: Security+, eJPT, eCPPT, CEH, PCAP, OSWP, OSCP, OSCE, and OSWE.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights