THE THREAT
eSentire has observed active exploitation of the ProxyShell vulnerabilities; external sources have confirmed attacks are ongoing. Multiple threat actor groups are exploiting the cluster of Exchange vulnerabilities known as ProxyShell: CVE-2021-31207, CVE-2021-34523, CVE-2021-34473. Exploitation of the ProxyShell vulnerabilities may result in Remote Code Execution (RCE). In observed attacks, threat actors have been identified deploying webshells to unpatched Exchange servers for later access.
Security patches for all three vulnerabilities have been available since May 2021. It is critical that organizations ensure security patches have been deployed. If the relevant security patches have not already been deployed and the vulnerable server is exposed to the Internet, organizations should assume exploitation has occurred.
What we’re doing about it
- eSentire MDR for Log detects potential abuse of Autodiscover, IMAP, and PowerShell services employed in this attack, as well as attempts to export the mailbox
- eSentire MDR for Endpoint detects webshell installation resulting from successful exploitation
- eSentire Managed Vulnerability Service (MVS) has local plugins in place to detect devices vulnerable to ProxyShell attacks
- IP addresses, associated with real-world attacks, have been blocked via eSentire MDR for Network
What you should do about it
- Ensure that the latest Microsoft security patches have been applied to Exchange systems. At a minimum, the May 2021 updates should be applied
- If the minimum patches have not yet been applied, customers are encouraged to review the Incident Observables below and contact the Security Operations Center for assistance.
- Clients with MDR for Endpoint should ensure endpoint agents are deployed to critical servers including Exchange.
- Clients with eSentire MDR for Log should ensure Exchange IIS Logs and Exchange Control Panel (ECP) Logs are collected.
- Contact your Customer Success Manager if you would like to enable or confirm proper Exchange logging.
Additional information
ProxyShell is comprised of three Exchange vulnerabilities chained together to execute malicious code on vulnerable servers:
- CVE-2021-34473 - Pre-authentication Remote Code Execution
- CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend
- CVE-2021-31207 - Post-authentication Remote Code Execution
The attack was demonstrated at Pwn2own 2021 in April 2021. Microsoft patched the vulnerabilities in their April and May 2021 security updates respectively. CVE-2021-34473 and CVE-2021-34523 were disclosed in July but originally patched in the April 2021 security updates.
Following researcher Orange Tsai’s technical reveal of the vulnerabilities at Black Hat 2021, attacker interest has grown. eSentire security teams observed Proof-of-Concept code posted to GitHub and Metasploit modules in mid-August, greatly facilitating attacks. Widespread exploitation in the wild was observed in external reports ,and eSentire security teams have responded to several incidents at our customers.
Incident Observables
In observed exploitation events, webshells are uploaded to vulnerable Exchange servers via ProxyShell vulnerabilities and remotely accessed via port 443 from the Internet.
Webshell Creation
- ProxyShell utilizes the New-MailboxExportRequest PowerShell cmdlet to export a payload to the webroot directory on Exchange. This results in randomly named files with the .aspx extension written by the MSExchangeMailboxReplication.exe process.
- E.g. \wwwroot\aspnet_client\exymm.aspx
- Observed directories containing webshells:
- C:\inetpub\wwwroot\aspnet_client\
- C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
- Huntress Labs has observed attackers modifying an Exchange configuration file to hide webshells via virtual directory paths. The file C:\Windows\System32\inetsrv\Config\applicationHost.config can be examined for presence of new virtual directories.
Webshell Interaction
- Attackers interact with the webshell via HTTP requests to the .aspx file.
- Web traffic logs (such as IIS logs on Exchange) can be examined for HTTP POST requests to aspx files to identify webshell interaction.
- For example: POST /aspnet_client/exymm.aspx
Aspx Webshell Content
- Malcious .aspx files contain valid code encapsulated with random or encoded data. Malicious code can be identified by examining the contents of the file using tools such as strings or a hex editor.
- Several variations have been observed, examples are included below for reference.
IP Addresses Observed in Exploitation Events:
140.211[.]84.180
95.177[.]214.144
37.120[.]232.77
45.142[.]213.65
References:
[1] https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell
[2] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
[4] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
[5] https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
[6] https://twitter.com/DaveKleinatland/status/1429690829166235648