Microsoft Exchange vulnerabilities are still a problem: security analysts summarize one of the many attacks they have seen and explain how the hackers went about it.
Vulnerabilities in Microsoft Exchange servers were discovered in early March. These are of course exploited by cyber criminals, and Microsoft, the BSI and security companies are calling for a crackdown. Other gaps have been found to need to be glued urgently. What happens if companies do nothing in this regard is illustrated in the following example of an attack based on these vulnerabilities.
According to Unit 42’s blog post, on March 6, 2021, unknown cybercriminals used vulnerabilities in the Microsoft Exchange server to install a web shell on a server at a financial institution in the EMEA region. Although Unit 42 does not have WebShell access, security analysts suspect that the WebShell server side may be a variant of “Jascript China Chopper”.
The blog post of the Palo Alto Networks malware research group describes the sequence of the attack: On March 12, 2021, six days after it was installed, the attackers used the installed web shell to execute the PowerShell commands, collect information and active directory from the local server and compromise the transaction from the server. Cybercriminals compressed files related to the collection of information and credentials by creating cabinet files stored in a folder accessible to the Internet by the Internet Information Services (IIS) server. The cast attempted to oust these cabinet files by directing them on March 12 and 13, 2021.
Security analysts analyzed the IP addresses of incoming requests to execute commands via the installed web shell, as well as requests to download the resulting files. None of the observed IP addresses appear to be attackers’ own infrastructure, and they may be the choice of free proxies, VPNs, and compromised servers. The IP addresses viewed in the logs provided no trace of further action.
Hackers automate their attacks
Unit 42 researchers believe the attackers automated interactions with the webshell to run two separate power shell scripts. These were released every three seconds and contained two different incoming IP addresses. Automation also seems to involve deliberately changing IP addresses in a way that makes it difficult to analyze and communicate with the process. Automation provided a hint that the actors carried out this particular attack as part of a larger offensive campaign.
Attack attempts to collect credentials from the affected financial institution in the EMEA region failed because incoming requests to download the memory image from the Local Security Authority Subsidiary Service (LSASS) process failed. As an added security measure, it was installed on the Cortex XDR transfer server with an enabled password theft protection module. This removed the pointers to the desired access data from the memory dummy, which would attack the ability to extract access data from the memory dummy even if the file could be successfully downloaded.
1. The transmission interval is automatically exploited
2. Suspected of being a major attack campaign
You may be interested
Microsoft, Palo Alto Networks GmbH
Professional bacon fanatic. Explorer. Avid pop culture expert. Introvert. Amateur web evangelist.