Threat actors are using a few dangerous new tactics to exploit the so-called ProxyShell set of vulnerabilities in on-premises Exchange servers that Microsoft patched earlier this year – and which were the target of widespread attacks in July.
In several recent incident response engagements, Mandiant researchers found that attackers had abused ProxyShell to drop web shells on vulnerable systems in a different – and more difficult to detect – way than that used in previous attacks. . In some attacks, malicious actors have completely ignored web shells and instead created their own hidden and privileged mailboxes, giving them the ability to take control of accounts and create other problems.
As many as 30,000 Internet-connected Exchange servers remain vulnerable to these attacks because they have not been patched, Mandiant said.
ProxyShell is a set of three vulnerabilities in Exchange Server: CVE-2021-34473, a critical remote code execution vulnerability that does not require user actions or privileges to exploit; CVE-2021-34523, a post-authentication elevation of privilege vulnerability; and CVE-2021-31207, a medium-severity post-authentication vulnerability that allows attackers to gain administrative access to vulnerable systems. The vulnerabilities exist in several versions of Exchange Server 2013, 2016, and 2019.
Microsoft fixed the flaws in April and May, but didn’t assign a CVE or disclose the fixes until July. In August, the US Agency for Cybersecurity and Infrastructure Security (CISA) warned of attackers linking the three flaws to exploit vulnerable Exchange servers.
Security vendors reported that threat actors were exploiting the loopholes primarily to deploy web shells to Exchange servers that they could use in future attacks. An analysis by Huntress Labs revealed that the most common web shell deployed by attackers was XSL Transform. Other common web shells included the Encrypted Reflective Assembly Loader, Comment Separation and Obfuscation of the “Dangerous” Keyword, Jscript Base64 Encoding and Character Casting, and the Arbitrary File Downloader.
Joshua Goddard, a consultant to Mandiant’s incident response team, says attackers who exploited ProxyShell initially abandoned web shells through mailbox export requests. “
These web shells could be used to access Exchange servers remotely and further compromise organizations, such as deploying ransomware to devices, ”he said.
But anti-virus and endpoint detection and response (EDR) vendors quickly created detections for web shells created through mailbox export. This is probably what prompted attackers to look for new avenues to take advantage of Exchange Server systems that are still unpatched against ProxyShell, Goddard says.
The tactic attackers now use is to export web shells from the certificate store.
“Web shells created by this means do not have the same file structure as those created by exporting mailboxes, so attackers have had some success with this because not all security tools have a appropriate detections in place, ”notes Goddard.
Mandiant researchers also observed ProxyShell attacks where threat actors did not deploy web shells but instead created highly privileged mailboxes that were hidden from the address list. They gave these mailboxes permissions to other accounts, then logged in through the web client to browse or steal data.
“This is the most significant change in tactics,” said Goddard. “Attackers Use ProxyShell Vulnerabilities to Compromise Work Email [BEC] by interfacing exclusively with Exchange services, instead of the operating systems that host them, ”as is the case with the removal of web shells.
Attackers with this type of access could potentially launch phishing attacks against other entities using the victim organization’s email infrastructure, he warns. Since no malicious files are deposited on disk, it becomes more difficult for organizations to detect these attacks.
Exchange server fault series
Microsoft – and, by extension, its customers – has had its fair share of problems with Exchange Server flaws this year.
The most notable was in March, when the company had to deploy emergency fixes for a set of four vulnerabilities in the technology, collectively known as ProxyLogon. The fixes came after a Chinese threat group called Hafnium, and later others, were discovered actively exploiting loopholes in thousands of organizations. Concerns about the attacks were so high that a court authorized the FBI to take the unprecedented step of removing web shells the attackers had dropped on systems belonging to hundreds of US organizations, without first notifying them. .
In September, Trend Micro researchers reported finding ProxyToken, another Exchange Server flaw that allowed attackers to copy targeted emails or forward them to an account controlled by the attacker. During the year, Microsoft disclosed other Exchange Server vulnerabilities of varying severity, including a zero-day threat (CVE-2021-42321) which the company addressed in its November security update.
Goddard says that at least some of the 30,000 systems that are found to be vulnerable to ProxyShell are probably honeypots; however, many are not.
“Organizations that applied the patches early may be safe, but organizations that have not yet applied the patches and whose servers are connected to the Internet are at significant risk,” he warns.
Organizations that have not been patched for some time since the vulnerabilities were disclosed should conduct a review of all unknown files on servers, mailbox accounts, and mailbox permissions, says. he.
“Organizations need to detect and validate newly created files outside of change windows and have visibility into configuration changes to their Exchange infrastructure, which need to be tied to defined change requests,” Goddard explains.