Public proof-of-concept (PoC) exploits for ProxyLogon could be fanning a feeding frenzy of attacks even as patching makes progress.
As dangerous attacks accelerate against Microsoft Exchange Servers in the wake of the disclosure around the ProxyLogon group of security bugs, a public proof-of-concept (PoC) whirlwind has started up. It’s all leading to a feeding frenzy of cyber-activity.
The good news, however, is that Microsoft has issued a one-click mitigation and remediation tool in light of the ongoing swells of attacks.
Researchers said that while advanced persistent threats (APTs) were the first to the game when it comes to hacking vulnerable Exchange servers, the public PoCs mean that the cat is officially out of the bag, meaning that less sophisticated cybercriminals can start to leverage the opportunity.
“APTs…can reverse engineer the patches and make their own PoCs,” Roger Grimes, data-driven defense evangelist at KnowBe4, told Threatpost. “But publicly posted PoCs mean that the thousands of other hacker groups that don’t have that level of sophistication can do it, and even those groups that do have that sophistication can do it faster.”
After confirming the efficacy of one of the new public PoCs, security researcher Will Dorman of CERT/CC tweeted, “How did I find this exploit? Hanging out in the dark web? A hacker forum? No. Google search.”
What is the ProxyLogon Exploit Against Microsoft Exchange?
Microsoft said in early March that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange servers.
Four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.
And indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access.
Microsoft quickly pushed out out-of-band patches for ProxyLogon, but even so, tens of thousands of organizations have so far been compromised using the exploit chain.
It’s also apparent that Hafnium isn’t the only party of interest, according to multiple researchers; ESET said last week that at least 10 different APTs are using the exploit.
The sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit’s provenance – and ESET researchers mused whether it was shared around the Dark Web on a wide scale.
Several versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.
How Many Organizations and Which Ones Remain at Risk?
Microsoft originally identified more than 400,000 on-premise Exchange servers that were at-risk when the patches were first released on March 2. Data collected by RiskIQ indicated that as of March 14, there were 69,548 Exchange servers that were still vulnerable. And in a separate analysis from Kryptos Logic, 62,018 servers are still vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers.
“We released one additional set of updates on March 11, and with this, we have released updates covering more than 95 percent of all versions exposed on the internet,” according to post published by Microsoft last week.
However, Check Point Research (CPR) said this week that in its latest observations on exploitation attempts, the number of attempted attacks has increased tenfold, from 700 on March 11 to more than 7,200 on March 15.
According to CPR’s telemetry, the most-attacked country has been the United States (accounting for 17 percent of all exploit attempts), followed by Germany (6 percent), the United Kingdom (5 percent), the Netherlands (5 percent) and Russia (4 percent).
The most-targeted industry sector meanwhile has been government/military (23 percent of all exploit attempts), followed by manufacturing (15 percent), banking and financial services (14 percent), software vendors (7 percent) and healthcare (6 percent).
“While the numbers are falling, they’re not falling fast enough,” RiskIQ said in its post. “If you have an Exchange server unpatched and exposed to the internet, your organization is likely already breached. One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet—this is a common issue we see with new customers.”
It added, “Another is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email.”
Will the ProxyLogon Attacks Get Worse?
Unfortunately, it’s likely that attacks on Exchange servers will become more voluminous. Last week, independent security researcher Nguyen Jang published a PoC on GitHub, which chained two of the ProxyLogon vulnerabilities together.
GitHub quickly took it down in light of the hundreds of thousands of still-vulnerable machines in use, but it was still available for several hours.
Then over the weekend, another PoC appeared, flagged and confirmed by CERT/CC’s Dormann:
Well, I’ll say that the ProxyLogon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.https://t.co/ubsysTeFOj
I’m not so sure about the “Failed to write to shell” error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. pic.twitter.com/ijOGx3BIif— Will Dormann (@wdormann) March 13, 2021
Earlier, Praetorian researchers on March 8 published a detailed technical analysis of CVE-2021-26855 (the one used for initial access), which it used to create an exploit. The technical details offer a public roadmap for reverse-engineering the patch.
The original exploit used by APTs meanwhile could have been leaked or lifted from Microsoft’s information-sharing program, according to a recent report in the Wall Street Journal. In light of evidence that multiple APTs were mounting zero-day attacks in the days before Microsoft released patches for the bugs, the computing giant is reportedly questioning whether an exploit was leaked from one of its security partners.
MAPP delivers relevant bug information to security vendors ahead of disclosure, so they can get a jump on adding signatures and indicators of compromise to their products and services. This can include, yes, exploit code.
“Some of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say,” according to the report. “Microsoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.”
Microsoft Mitigation Tool
Microsoft has released an Exchange On-premises Mitigation Tool (EOMT) tool to help smaller businesses without dedicated security teams to protect themselves.
“Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments,” according to a post published by Microsoft. “This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.”
Microsoft said that the tool will mitigate against exploits for the initial-access bug CVE-2021-26855 via a URL rewrite configuration, and will also scan the server using the Microsoft Safety Scanner to identify any existing compromises. Then, it will remediate those.
China Chopper Back on the Workbench
Amid this flurry of activity, more is becoming known about how the attacks work. For instance, the APT Hafnium first flagged by Hafnium is uploading the well-known China Chopper web shell to victim machines.
That’s according to an analysis from Trustwave SpiderLabs, which found that China Chopper is specifically being uploaded to compromised Microsoft Exchange servers with a publicly facing Internet Information Services (IIS) web server.
China Chopper is an Active Server Page Extended (ASPX) web shell that is typically planted on an IIS or Apache server through an exploit. Once established, the backdoor — which hasn’t been altered much since its inception nearly a decade ago — allows adversaries to execute various commands on the server, drop malware and more.
“While the China Chopper web shell has been around for years, we decided to dig even deeper into how the China Chopper web shell works as well as how the ASP.NET runtime serves these web shells,” according to Trustwave. “The China Chopper server-side ASPX web shell is extremely small and typically, the entire thing is just one line.”
Hafnium is using the JScript version of the web shell, researchers added.
“The script is essentially a page where when an HTTP POST request is made to the page, and the script will call the JScript ‘eval’ function to execute the string inside a given POST request variable,” researchers explained. “In the…script, the POST request variable is named ‘secret,’ meaning any JScript contained in the ‘secret’ variable will be executed on the server.”
Researchers added that typically, a China Chopper client component in the form of a C binary file is used on the attacker’s systems.
“This client allows the attacker to perform many nefarious tasks such as downloading and uploading files, running a virtual terminal to execute anything you normally could using cmd.exe, modifying file times, executing custom JScript, file browsing and more,” explained Trustwave researchers. “All this is made available just from the one line of code running on the server.”