Update – Microsoft Exchange Server Vulnerabilities

This is an update to an earlier report this month regarding Microsoft Exchange Server. Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server:

• CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
• CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.  
  • CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server.
• To locate a possible compromise of these CVEs, we encourage you to read the Microsoft Advisory.

It is possible for an attacker, once authenticated to the Exchange server, to gain access to the Active Directory environment and download the Active Directory Database.

(Updated March 12, 2021): Microsoft Security Intelligence has released a tweet on DearCry ransomware being used to exploit compromised on-premises Exchange Servers. Ransomware infections can have negative consequences to an affected organization, including:

• temporary or permanent loss of sensitive or proprietary information,
• disruption to regular operations,
• financial losses incurred to restore systems and files, and
• potential harm to an organization’s reputation.

(Updated March 12, 2021): CISA encourages organizations to review CISA’s Ransomware web page for guidance and resources. Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

Tactics, Techniques and Procedures

(Updated March 10, 2021): Microsoft has released a script that scans Exchange log files for IOCs. CISA strongly encourages organizations to run the Test-ProxyLogon.ps1 script—as soon as possible—to help determine whether their systems are compromised.

(Updated March 10, 2021): CISA recommends investigating for signs of a compromise from at least January 1, 2021 through present. 

(Updated March 13, 2021): CISA has identified seven webshells associated with this activity. This is not an all-inclusive of webshells that are being leveraged by actors. CISA recommends organizations review the following malware analysis reports (MARs) for detailed analysis of the seven webshells, along with TTPs and IOCs. 

1. AR21-072A: MAR-10328877.r1.v1: China Chopper Webshell
2. AR21-072B: MAR-10328923.r1.v1: China Chopper Webshell
3. AR21-072C: MAR-10329107.r1.v1: China Chopper Webshell
4. AR21-072D: MAR-10329297.r1.v1: China Chopper Webshell
5. AR21-072E: MAR-10329298.r1.v1: China Chopper Webshell
6. AR21-072F: MAR-10329301.r1.v1: China Chopper Webshell
7. AR21-072G: MAR-10329494.r1.v1: China Chopper Webshell

(Updated March 13, 2021): A webshell is a script that can be uploaded to a compromised Microsoft Exchange Server to enable remote administration of the machine. Webshells are utilized for the following purposes:

• To harvest and exfiltrate sensitive data and credentials;
• To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims;
• To use as a relay point to issue commands to hosts inside the network without direct internet access;
• To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence.

(Updated March 13, 2021): For more information, see TA15-314A Compromised Web Servers and Web Shells – Threat Awareness and Guidance.

The majority of the TTPs in this section are sourced from a blog post from Volexity, a third party cybersecurity firm. 

Volexity has observed the following files as targets of HTTP POST requests:

• /owa/auth/Current/themes/resources/logon.css
• /owa/auth/Current/themes/resources/owafont_ja.css
• /owa/auth/Current/themes/resources/lgnbotl.gif
• /owa/auth/Current/themes/resources/owafont_ko.css
• /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
• /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
• /owa/auth/Current/themes/resources/lgnbotl.gif

Administrators should search the ECP server logs for the following string (or something similar):

S:CMD=Set-OabVirtualDirectory.ExternalUrl='

The logs can be found at <exchange install path>\Logging\ECP\Server\.

To determine possible webshell activity, administrators should search for aspx files in the following paths:

• \inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
• \<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
• \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
• \<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\ (any aspx file in this folder or subfolders)
• \<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\ (any aspx file in this folder or subfolders)

Administrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents. These agents may be useful for incident responders to look at to determine if further investigation is necessary.

These should not be taken as definitive IOCs:

• DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)
• facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)
• Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)
• Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)
• Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html
• Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
• Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)
• Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)
• Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36

Volexity observed these user-agents in conjunction with exploitation to /ecp/ URLs:

• ExchangeServicesClient/0.0.0.0
• python-requests/2.19.1
• python-requests/2.25.1

These user-agents were also observed having connections to post-exploitation web-shell access:

• antSword/v2.1
• Googlebot/2.1+(+http://www.googlebot.com/bot.html)
• Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)

As with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange Servers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as definitive IOCs:

• POST /owa/auth/Current/
• POST /ecp/default.flt
• POST /ecp/main.css
• POST /ecp/<single char>.js

Volexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly:

• 103.77.192[.]219
• 104.140.114[.]110
• 104.250.191[.]110
• 108.61.246[.]56
• 149.28.14[.]163
• 157.230.221[.]198
• 167.99.168[.]251
• 185.250.151[.]72
• 192.81.208[.]169
• 203.160.69[.]66
• 211.56.98[.]146
• 5.254.43[.]18
• 5.2.69[.]14
• 80.92.205[.]81
• 91.192.103[.]43