Microsoft’s Defender ATP Research Team has released a guidance on how to protect fr om attacks targeting Exchange servers by blocking malicious activity identified with the help of behavior-based detection.
The researchers have analyzed multiple campaigns targeting Exchange servers in early April which showed how threat actors deployed web shells on on-premises Exchange servers. Hackers could use compromised Exchange servers to perform various tasks using the same built-in tools or scripts that admins use for maintenance.
Typically, Exchange servers are compromised via social engineering or drive-by download attacks, or by exploiting RCE-vulnerabilities affecting the underlying Internet Information Service (IIS) component of a target Exchange server. While the first scenario is more common, the researchers say they observed an increase in attacks targeting RCE issues, namely CVE-2020-0688. The flaw resides in the Exchange Control Panel (ECP) componentand stems fr om the fact that Exchange servers fail to properly create unique keys at install time. A remote, authenticated attacker could exploit the CVE-2020-0688 vulnerability to execute arbitrary code with SYSTEM privileges on a server and take full control.
Once gaining access to a vulnerable Exchange server, the attackers deploy web shells into one of the many web accessible paths on the server that allow them to steal information or perform malicious actions for further compromise.
According to the researchers, most of the observed attacks used the China Chopper web shell.
“The attackers tried to blend the web shell script file with other .aspx files present on the system by using common file names. In many cases, hijacked servers used the ‘echo’ command to write the web shell. In other cases, certutil.exe or powershell.exe were used,” according to Microsoft.
After the web shell is deployed, the attackers run exploratory commands such as whoami, ping, and net user. In most cases, the researchers say, the hijacked application pool services were running with system privileges, giving attackers the highest privilege.
The attackers also used the EternalBlue exploit and nbtstat scanner to find vulnerable machines on the network, according to Microsoft.
“As these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques. For example, at every stage in the attack chain above, the attackers abused existing tools (LOLBins) and scripts to accomplish various tasks. Even in cases wh ere non-system binaries were introduced, they were either legitimate and signed, like plink.exe, or just a proxy for the malicious binary, for example, the modified Mimikatz wh ere the actual malicious payload never touched the disk,” the researchers added.
Microsoft recommends users to always apply the latest security updates, keep their antivirus software enabled, frequently review sensitive groups and roles suspicious removals and additions, restrict access by applying the principle of least privilege, and promptly investigate suspicious activity alerts.