Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)

[German]Regarding the Exchange ProxyLogon vulnerabilities and the mass hack of Exchange Server systems, there is a publicly available proof of concept (PoC), so new attacks are to be expected. Patching and securing is progressing slowly. Microsoft’s testing scripts should be kept up to date or tests will fail. And there are new Indicator of Compromise (IoC) for attacks on Exchange Server.


Advertising

Publicly available exploit

A  few days ago, the following tweet already came to my attention. There is a functional exploit to download emails from mailboxes of OWA instances via the CVE-2021-26855 vulnerability.

Exchange ProxyLogon Exploit

The exploit is written in Python and available via GitHub. So it’s only a matter of time before script kiddies exploit something like this. The colleagues at Bleeping Computer published this article on the subject a few days ago.

Details about the DearCry ransomware

Also from Palo Alto Networks I have the information that the vulnerabilities are increasingly exploited by cyber criminals. With the DearCry ransomware already mentioned here on the blog, the cyber criminals are trying to extort companies with vulnerable Exchange servers. DearCry is a new ransomware variant that has been observed to exploit Microsoft Exchange server ProxyLogon vulnerabilities for initial access. The first reports of DearCry extortion letters appearing in connection with the compromise of Microsoft Exchange servers via ProxyLogon vulnerabilities appeared as early as March 9, 2021.

As with the majority of ransomware variants, DearCry actors drop a ransom note on the victim’s desktop. However, instead of asking for a fixed ransom amount and providing a Bitcoin wallet address, the DearCry note contains two email addresses for the victim to contact. Likewise, it includes a request to send a provided hash.


Advertising

During execution, DearCry also runs a service called “msupdate”, which is not part of the Windows operating system. This service is later removed when the ransomware finishes its encryption process. In addition, all Windows operating system logical drives, except CD-ROM drives, are enumerated on the victim’s system so that the ransomware can start encrypting files using an RSA public key.

DearCry is a new ransomware that exploits ProxyLogon vulnerabilities of Microsoft Exchange servers. It is also a perfect example of how threat actors can influence the threat landscape by exploiting newly discovered vulnerabilities to make a quick profit. Palo Alto Networks strongly advises that all Microsoft Exchange Servers be immediately updated to the latest available patch versions released by Microsoft. More details on DearCry can be found in this article. In the article ProxyLogon hack: Administrator’s Repository for affected Exchange systems I had linked everything you need to know about closing the vulnerabilities for administrators.

Patch pace picks up

The good news of the day is that Exchange administrators are finally taking vulnerable systems offline and patching them. German CERT-Bund recently published, that 9,000 Exchange servers were taken offline or prevented from accessing OWA from the Internet in the last two weeks. However, about 12,000 of 56,000 Exchange servers with open OWA in Germany are still vulnerable to ProxyLogon.

I also received some numbers from Palo Alto Networks. The company continuously collects information about all devices accessible via the Internet via its Expanse platform. Therefore, data on the total volume of publicly accessible Microsoft Exchange servers and the subset of vulnerable servers could also be determined. By comparing information collected three days apart (on March 8 and then again on March 11), it is possible to see on the one hand how many Microsoft Exchange Servers were vulnerable. On the other hand, it was also possible to obtain some data about the speed with which companies applied patches.

The results show that patch rates are lightning fast – at 36 percent in just three days. Using FireEye data on the time between detection, patch release and exploitation, it is known that in the past the average time to patch was nine days. However, patching does not mean that companies are safe. It is likely that these vulnerabilities will continue to be exploited. The latest analysis can be found here.

Watch out with old MEOMT versions

Here in the blog I have published some articles that deal with the detection of a compromise. Among other things, Microsoft has published some PowerShell scripts to detect and eliminate infections. In this German comment, a blog reader points out that the PowerShell script eomt.ps1 (the basis of the Microsoft Exchange On-Premises Mitigation Tool) causes issues in older versions when run on a patched Exchange Server 2016. It may cause false alerts because the script uses wrong premises. However, Microsoft has since released a new version of the script that fixes these issues. However, Microsoft detection scripts are not perfect either, as the next section shows.

New IoCs found for ProxyLogon

The security experts at German HiSolution AG notified me via Facebook and pointed out the German article HiSolutions entdeckt neue HAFNIUM/ProxyLogon IoCs. The experts have come across several cases during forensic investigations on HAFNIUM/ProxyLogon where Microsoft tools (scripts or Safety Scanner aka MSERT) find nothing. In the HttpProxy log no ProxyLogon can be seen, while the access was traceable in the ECP Activity Log. The security experts at HiSolution Reasearch then found new Indicators of Compromise (IoCs), which were documented in the above article.

./ECP/Activity/ECPActivity_39844_20210303-1.LOG: 2021-03-03T06:43:32.531Z ,EX01, ,S:FE=EX01.FOOBAR.LOCAL;S:URL=https://ex01.foobar.local:444 /ecp/proxyLogon.ecp (https://owa.foobar.com/ecp/y.js);S:Bld=15.1.2106.2;S:ActID=def0-b0e6-2342-5e2c-23a8ff1962a1;Dbl:WLM.TS=0
./ECP/Activity/ECPActivity_39844_20210303-1.LOG: 2021-03-03T06:43:32.963Z, EX01,Request,S:PSA= administrator@foobar.com ;S:FE=EX01.FOOBAR.LOCAL;S:URL=https://ex01.foobar.local:444 /ecp/proxyLogon.ecp (https://owa.foobar.com/ecp/y.js)

The following (Linux/UNIX) command can be used to comb the logs for the interesting entries:

grep -ir “proxylogon” ./ECP/Activity | sort -n

To encourage sharing among researchers and to help others protect themselves more quickly, we also shared our findings on Twitter (see for example).

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator’s Repository for affected Exchange systems
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03/16/2021)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *