March 8, 2021
As you may know, a zero-day vulnerability in Microsoft Exchange Server was published last week that is garnering a lot of attention.
Microsoft has attributed this to a known threat actor that has now compromised thousands or even tens of thousands of systems with these attacks, though it's important to understand that other attackers are now leveraging these vulnerabilities for their own campaigns.
Most critically: It is possible for an attacker, once authenticated to the Exchange server, to gain access to the Active Directory environment and download the Active Directory Database.
This cannot be emphasized enough - compromise of an Exchange server could lead to a much wider compromise that will require extensive efforts to contain and remediate.
Castra is seeing active exploitation of this vulnerability already.
If you have Microsoft Exchange in your environment, please patch immediately and scan all Exchange servers with the latest IOCs.
We have included additional IOCs below that may not be included in your current scanning tools. Please let us know if you do have Exchange so that we can work with you for a deeper review.
Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server:
- CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
- CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.
- CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server.
- To locate a possible compromise of these CVEs, we encourage you to read the Microsoft Advisory.
Detailed Detection Information
To determine possible webshell activity, administrators should search for aspx files in the following paths:
- \inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
- \<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
- \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
- \<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\ (any aspx file in this folder or subfolders)
- \<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\ (any aspx file in this folder or subfolders)
Administrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents. These agents may be useful for incident responders to look at to determine if further investigation is necessary.
These should not be taken as definitive but can be possible indicators:
You should also check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.
Finally, monitor these paths for LSASS dumps:
Microsoft has provided a more extensive set of detection indicators in the postings listed above.