Compromise of Microsoft Exchange Server

Cyber Security and Incident Response Advisory – Updated 29 August 2021

Updated:

On 21 August 2021, CISA posted an ‘Urgent’ update. They report that malicious attackers are currently exploiting ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, which may result in a compromise on a vulnerable machine. CISA strongly urges organisations to immediately apply Microsoft’s Security Update from May 2021 to protect against these attacks.

Advisory:

Beginning the week of 1st March 2021, Microsoft and others in the security industry have seen an unprecedented number of cyber-attacks on on-premises Microsoft Exchange servers.

In the attacks observed, the threat actor used multiple, previously unknown vulnerabilities to access email data allowing the installation of additional malware to facilitate long-term access to victim’s environments.

Presently, the vulnerabilities are limited to Microsoft Exchange email servers that are ‘on-premise’, Exchange Online (MS365) is not known to be vulnerable to these attacks.

While researchers initially suggested that this cyber-attack began as a nation-state attack, over recent days there is increasing evidence to suggest that the same vulnerabilities are being exploited by multiple cyber crime groups, including the threat of ransomware attacks along with the potential of other malicious activities.

Microsoft consider this to be a “broad attack and the severity of these exploits means protecting your systems is critical”. Such protection includes the use of traditional tools to update software, but with a heightened approach. Accordingly, Microsoft are providing specific updates for older and out-of-support software so you can update your systems more easily and quickly protect your business.

Recommendations

Investigate whether your systems have been compromised. To do so, the following playbook is structured in accordance with the NIST Incident Response framework, drawing on guidance advisories from Microsoft and Government Agencies. Certain steps may require engaging forensic expertise in accordance with the Department of Homeland Security Emergency Directive.

Preparation

  • Ensure all relevant security updates are applied to every system. This will better protect you against the known attacks and give your organisation time to update your servers with a full security update.
  • On 21 August 2021, CISA posted an ‘Urgent’ update. They report that malicious attackers are currently exploiting ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, which may result in a compromise on a vulnerable machine. CISA strongly urges organisations to immediately apply Microsoft’s Security Update from May 2021 to protect against these attacks.
  • Create forensic copies of potentially affected systems, including system memory.

Detection

  • Analyse affected systems, memory and other network data for Indicators of Compromise (IOC’s), in accordance with the guidance located in this CISA Activity Alert.
  • Scan exchange servers for evidence of exploitation of the published vulnerabilities using the Microsoft provided script,  found here and retain the outputs.
  • Scan Exchange servers for web shells using CERT’s PS script, found here.
  • Scan Exchange servers for known web shells using Microsoft Support Emergency Response Tool (MSERT).
  • Use the Microsoft IOC feed for newly observed indicators.
  • Search for the presence of suspicious IP addresses.

Analysis

  • Analyse systems for evidence of:
    • Data exfiltration.
    • Credential harvesting.
    • Attacker persistence.

Containment

  • Isolate the MS Exchange server from the network.
  • Keep Endpoint (Antivirus) systems up to date and ensure they are fit for purpose
  • Review Active Directory.
  • Change passwords, prioritising Domain accounts.
  • Review sensitive roles and groups and restrict access where necessary
  • Review mailbox rules
  • Prioritize alerts

Eradication

Recovery

  • Cautiously declare business as usual, but stay vigilant and up-to-date on new cyber threat intelligence.
  • Prepare for further cyber-attacks.
  • Microsoft has reported that they are aware of cybercrime groups that are exploiting this vulnerability in order to implant ransomware and other malware that could interrupt business continuity.
  • Consider implementing a Cyber Framework, Controls and an Incident Response Plan and Playbooks. Please contact us on 0800 WITNESS or support@incidentresponse.co.nz, if you wish to discuss how to best protect against this and other cyber threats.

These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack. We strongly recommend investigating your Exchange deployments using the hunting recommendations contained within this advisory, to best determine whether you have been compromised.

References

Microsoft

ProxyShell vulnerabilities and your Exchange Server (NEW)

Multiple Security Updates Released for Exchange Server

IOC Detection Tool for Exchange Server Vulnerabilities

Exchange Server Security Updates for older Cumulative Updates of Exchange Server

One-Click Microsoft Exchange On-Premises Mitigation Tool

Released: April 2021 Exchange Server Security Updates

Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities

Analyzing attacks taking advantage of the Exchange Server vulnerabilities

Government Advisories

Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities (NEW)

Alert (AA21-062A) – Mitigate Microsoft Exchange Server Vulnerabilities (CISA)

Cybersecurity & Infrastructure Security Agency (CISA) – Remediating Microsoft Exchange Vulnerabilities

Joint CISA and FBI – Compromise of Microsoft Exchange Server

Department of Homeland Security – Mitigate Microsoft Exchange On-Premises Product Vulnerabilities (See updated supplemental direction for the latest.)

TTP Table for Detecting APT Activity Related to SolarWinds and Active Directory/M365 Compromise

Webshells Observed in Post-Compromised Exchange Servers

CERT NZ – Urgent Microsoft Exchange security update released – updated advisory

Ransomware Research

Black KingDom – Sophos ArticleBleeping Computer Article

DearCry – Sophos ArticleBleeping Computer Article


This Advisory is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Advisory. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.

Traffic Light Protocol = White