
In response to the recent Microsoft Exchange exploits, and the desire to funnel relevant information into a single source, Contextual Security Solutions has consolidated some information regarding the recent 0-day exploitation. If you are running MS-Exchange (2013, 2016, 2019) on premise, this applies to you. If you are using O365, there is currently no evidence this would apply. Patches are available but remember patches fix the vulnerability, but patches do not stop an ongoing incident if the vulnerability has been exploited. Four separate 0-day exploits are in play and exploitation does not indicate a high degree of difficulty according to the researchers who discovered the problem. Please read all of the references as all material was taken directly from their pages.
Indicators of Compromise
Indicators of Compromise (IoCs) also known as THINGS YOU SHOULD BE LOOKING FOR TO SEE IF YOUR ENVIRONMENT IS AFFECTED
Look for outbound connections to the following IP’s (subject to change as more information is gathered):
165.232.154.116 | 104.248.49.97 | 103.77.192.219 | 104.140.114.110 | 104.250.191.110 |
108.61.246.56 | 149.28.14.163 | 157.230.221.198 | 167.99.168.251 | 185.250.151.72 |
192.81.208.169 | 203.160.69.66 | 211.56.98.146 | 5.254.43.18 | 80.92.205.81 |
Check Exchange logs for the following: (taken directly from MS blog referenced later)
Microsoft Powershell Script that Automates Collection of Logs (https://github.com/microsoft/CSS-Exchange/tree/main/Security)
- CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs:
- These logs are located in the following directory: %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy
- Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/*
- Here is an example PowerShell command to find these log entries:
Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object { $_.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~*/*’ } | select DateTime, AnchorMailbox
- If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken.
- These logs are located in the %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging directory.
- CVE-2021-26858 exploitation can be detected via the Exchange log files:
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
- Files should only be downloaded to the %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory
- In case of exploitation, files are downloaded to other directories (UNC or local paths)
- Windows command to search for potential exploitation:
findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log”
- CVE-2021-26857 exploitation can be detected via the Windows Application event logs
- Exploitation of this deserialization bug will create Application events with the following properties:
- Source: MSExchange Unified Messaging
- EntryType: Error
- Event Message Contains: System.InvalidCastException
- Following is PowerShell command to query the Application Event Log for these log entries:
- Exploitation of this deserialization bug will create Application events with the following properties:
Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “*System.InvalidCastException*” }
- CVE-2021-27065 exploitation can be detected via the following Exchange log files:
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server
All Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.
- Following is a PowerShell command to search for potential exploitation:
Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’
Check for the following file names as potential web shells: (this list is not exhaustive any unknown .aspx is suspect)
web.aspx | help.aspx | document.aspx | errorEE.aspx | errorEEE.aspx |
errorEW.aspx | errorFF.aspx | healthcheck.aspx | aspnet_www.aspx | aspnet_client.aspx |
xx.aspx | shell.aspx | aspnet_iisstart.aspx | one.aspx |
Known hashes for compromised web shells: (I’m assuming these are MD5, MS blog didn’t say)
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
Web shells have been observed in:
C:\inetpub\wwwroot\aspnet_client\
C:\inetpub\wwwroot\aspnet_client\system_web\
In Microsoft Exchange Server installation paths such as:
%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
C:\Exchange\FrontEnd\HttpProxy\owa\auth\
References
Blogs
Discovered by Volexity: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
Rapid7 blog (cached version as it appears to be gone)
Krebs on Security: https://krebsonsecurity.com/2021/03/microsoft-chinese-cyberspies-used-4-exchange-server-flaws-to-plunder-emails/
CISA: https://us-cert.cisa.gov/ncas/alerts/aa21-062a
Vendor Response:
https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
https://github.com/microsoft/CSS-Exchange/tree/main/Security. (Powershell script written by MS to test for exploitation)
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/
Recent Comments