All posts by Andrew Christian

Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange 0-day

Post Syndicated from Andrew Christian original https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/

Starting February 27, 2021, Rapid7 has observed a notable increase in the exploitation of Microsoft Exchange through existing detections in InsightIDR’s Attacker Behavior Analytics (ABA).  The Managed Detection and Response (MDR) identified multiple, related compromises in the past 72 hours. In most cases, the attacker is uploading an “eval” webshell, commonly referred to as a “chopper” or “China chopper”. With this foothold, the attacker would then upload and execute tools, often for the purpose of stealing credentials. Further investigative efforts have identified overlap in attacker techniques and infrastructure.

Summary

At close to midnight UTC on February  27, 2021, Managed Detection and Response SOC analysts began observing alerts for the following ABA detections in InsightIDR:

  • Attacker Tool – China Chopper Webshell Executing Commands
  • Attacker Technique – ProcDump Used Against LSASS

Upon further inspection of Enhanced Endpoint Telemetry data produced by InsightAgent, Rapid7 analysts identified that attackers had successfully compromised several systems and noted that they were all on-premise Microsoft Exchange servers with web services accessible to the public Internet. Exposing web services to the public internet is a common practice for customers with on-premise instances of Microsoft Exchange to provide their users with email services over the web through Outlook Web Access (OWA).

Using Project Sonar, Rapid7’s Labs team was able to identify how target-rich an environment attackers have to work with: Nearly 170,000 servers vulnerable to a different recent Exchange CVE (for which proof-of-concept exploit code is readily available) were exposed to the public internet.

With the compromise identified, our team of Customer Advisors alerted our customers to this activity.  Meanwhile, our analysts quickly began performing deeper inspection of the logs uploaded to InsightIDR along with collecting additional forensic information directly from the compromised endpoints. Within a very short period of time, our analysts were able to identify how the attackers were executing commands, where they were coming from, and what tools they were using. This information allowed Rapid7 to provide proactive, actionable steps to our customers to thwart the attack . Additionally, our analysts worked jointly with our Threat Intelligence and Detection Engineering (TIDE) team to review the collected data for the purpose of immediately developing and deploying additional detections for customers.

Three days later, on March 2, 2021, Microsoft acknowledged and released information on the exploitation of 0-day vulnerabilities in Microsoft Exchange by an actor they refer to as “hafnium.”  They also released patches for Microsoft Exchange 2013, 2016 and 2019 (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, as well as others).

Despite this vulnerability being unknown to the public, Rapid7 was able to identify the attackers presence on systems to help defend against the use of these 0-day exploits with our Attacker Behavior Analytics library.

Rapid7 recommends that everyone running Microsoft Exchange apply these patches immediately as they are being exploited in the wild by a sophisticated adversary.

Technical Analysis of Attacker Activity

  1. Automated scanning to discover vulnerable Exchange servers from the following DigitalOcean IP addresses:
  • 165.232.154.116
  • 157.230.221.198
  • 161.35.45.41

2. Analysis of Internet Information Services (IIS) logs shows a POST request is then made from the scanning DigitalOcean IP to multiple paths and files:

  • /ecp/y.js
  • /rpc/
  • /owa/auth/signon.aspx
  • /aspnet_client/system_web/<random_name>.aspx
  • IIS Path ex: /aspnet_client/system_web/TInpB9PE.aspx
  • File system path ex: C:\inetpub\wwwroot\aspnet_client\system_web\TInpB9PE.aspx
  • /aspnet_client/aspnet_iistart.aspx
  • File system path: C:\inetpub\wwwroot\aspnet_client\aspx_iistart.aspx
  • /aspnet_client/aspx_client.aspx
  • File system path: C:\inetpub\wwwroot\aspnet_client\aspx_client.aspx
  • /aspnet_client/aspnet.aspx
  • File system path: C:\inetpub\wwwroot\aspnet_client\aspnet.aspx

In some cases, additional dynamic link libraries (DLLs) and compiled aspx files are created shortly after the  webshells are first interacted with via POST requests in the following locations:

  • C:\Windows\Microsoft.NET\Framework64\<version>\Temporary ASP.NET Files\root\
  • C:\Windows\Microsoft.NET\Framework64\<version>\Temporary ASP.NET Files\owa\

3. Next, a command executes, attempting to delete the “Administrator” from the “Exchange Organization administrators” group:

  • cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group “Exchange Organization administrators” administrator /del /domain&echo [S]&cd&echo [E]

4. With the command executed, and the webshell successfully uploaded, interaction with the webshell will begin from a different IP.

  • We have monitored interaction from 45.77.252[.]175

5. Following the POST request, multiple commands are executed on the asset:

a. Lsass.exe dumping using procdump64.exe and C:\Temp\update.exe
(MD5: f557a178550733c229f1087f2396f782):

  • cmd /c cd /d C:\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]

b. Reconnaissance commands:

  • whoami.exe
  • ping.exe
  • tasklist.exe
  • quser.exe
  • query.exe

Indicators Of Compromise (IOCs)

Type Value
IP Address 165.232.154.116
IP Address 157.230.221.198
IP Address 161.35.45.41
IP Address 45.77.252.175
URL /ecp/y.js
URL /ecp/DDI/DDIService.svc/GetList
URL /ecp/DDI/DDIService.svc/SetObject
User Agent python-requests/2.25.1

References

Indiscriminate Exploitation of Microsoft Exchange Servers (CVE-2021-24085)

Post Syndicated from Andrew Christian original https://blog.rapid7.com/2021/03/02/indiscriminate-exploitation-of-microsoft-exchange-servers-cve-2021-24085/

Indiscriminate Exploitation of Microsoft Exchange Servers (CVE-2021-24085)

The following blog post was co-authored by Andrew Christian and Brendan Watters.

Beginning Feb. 27, 2021, Rapid7’s Managed Detection and Response (MDR) team has observed a notable increase in the automated exploitation of vulnerable Microsoft Exchange servers to upload a webshell granting attackers remote access. The suspected vulnerability being exploited is a cross-site request forgery (CSRF) vulnerability: The likeliest culprit is CVE-2021-24085, an Exchange Server spoofing vulnerability released as part of Microsoft’s February 2021 Patch Tuesday advisory, though other CVEs may also be at play (e.g., CVE-2021-26855, CVE-2021-26865, CVE-2021-26857).

The following China Chopper command was observed multiple times beginning Feb. 27 using the same DigitalOcean source IP (165.232.154.116):

cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&net group "Exchange Organization administrators" administrator /del /domain&echo [S]&cd&echo [E]

Exchange or other systems administrators who see this command—or any other China Chopper command in the near future—should look for the following in IIS logs:

  • 165.232.154.116 (the source IP of the requests)
  • /ecp/y.js
  • /ecp/DDI/DDIService.svc/GetList

Indicators of compromise (IOCs) from the attacks we have observed are consistent with IOCs for publicly available exploit code targeting CVE-2021-24085 released by security researcher Steven Seeley last week, shortly before indiscriminate exploitation began. After initial exploitation, attackers drop an ASP eval webshell before (usually) executing procdump against lsass.exe in order to grab all the credentials from the box. It would also be possible to then clean some indicators of compromise from the affected machine[s]. We have included a section on CVE-2021-24085 exploitation at the end of this document.

Exchange servers are frequent, high-value attack targets whose patch rates often lag behind attacker capabilities. Rapid7 Labs has identified nearly 170,000 Exchange servers vulnerable to CVE-2021-24085 on the public internet:

Indiscriminate Exploitation of Microsoft Exchange Servers (CVE-2021-24085)

Rapid7 recommends that Exchange customers apply Microsoft’s February 2021 updates immediately. InsightVM and Nexpose customers can assess their exposure to CVE-2021-24085 and other February Patch Tuesday CVEs with vulnerability checks. InsightIDR provides existing coverage for this vulnerability via our out-of-the-box China Chopper Webshell Executing Commands detection, and will alert you about any suspicious activity. View this detection in the Attacker Tool section of the InsightIDR Detection Library.

CVE-2021-24085 exploit chain

As part of the PoC for CVE-2021-24085, the attacker will search for a specific token using a request to /ecp/DDI/DDIService.svc/GetList. If that request is successful, the PoC moves on to writing the desired token to the server’s filesystem with the request /ecp/DDI/DDIService.svc/SetObject. At that point, the token is available for downloading directly. The PoC uses a download request to /ecp/poc.png (though the name could be anything) and may be recorded in the IIS logs themselves attached to the IP of the initial attack.

Indicators of compromise would include the requests to both /ecp/DDI/DDIService.svc/GetList and /ecp/DDI/DDIService.svc/SetObject, especially if those requests were associated with an odd user agent string like python. Because the PoC utilizes aSetObject to write the token o the server’s filesystem in a world-readable location, it would be beneficial for incident responders to examine any files that were created around the time of the requests, as one of those files could be the access token and should be removed or placed in a secure location. It is also possible that responders could discover the file name in question by checking to see if the original attacker’s IP downloaded any files.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.