Microsoft updated MSERT to detect web shells used in attacks against Microsoft Exchange installs

Pierluigi Paganini March 08, 2021

Microsoft updated its Microsoft Safety Scanner (MSERT) tool to detect web shells employed in the recent Exchange Server attacks.

Early this month, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.

The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.” reads the advisory published by Microsoft. “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

The attack chain starts with an untrusted connection to Exchange server port 443.

The first zero-day, tracked as CVE-2021-26855, is a server-side request forgery (SSRF) vulnerability in Exchange that could be exploited by an attacker to authenticate as the Exchange server by sending arbitrary HTTP requests.

The second flaw, tracked as CVE-2021-26857, is an insecure deserialization vulnerability that resides in the Unified Messaging service. The flaw could be exploited by an attacker with administrative permission to run code as SYSTEM on the Exchange server.

The third vulnerability, tracked as CVE-2021-26858, is a post-authentication arbitrary file write vulnerability in Exchange.

The last flaw, tracked as CVE-2021-27065, is a post-authentication arbitrary file write vulnerability in Exchange.

According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. The group historically launched cyber espionage campaigns aimed at US-based organizations in multiple industries, including law firms and infectious disease researchers.

Microsoft immediately updated signatures for Microsoft Defender to detect web shells that were deployed by the attackers exploiting the above zero-day flaws.

Microsoft also updated the Microsoft Support Emergency Response Tool (MSERT) to detect the web shells employed in the attacks against the Exchange servers and remove them.

The MSERT tool is a self-contained executable file that scans a computer for malware and reports its findings, it is also able to remove detected malware.

For customers that are not able to quickly apply security updates released by Microsoft to fix the zero-day vulnerabilities, the IT giant provided alternative mitigation techniques.

Interim mitigations if unable to patch Exchange Server 2013, 2016, and 2019: Implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services.” reads the post published by Microsoft.

Administrators could use MSERT to make a full scan of the install or they can perform a ‘Customized scan’ of the following paths where malicious files from the threat actor have been observed:

  • %IIS installation path%\aspnet_client\*
  • %IIS installation path%\aspnet_client\system_web\*
  • %Exchange Server installation path%\FrontEnd\HttpProxy\owa\auth\*
  • Configured temporary ASP.NET files path
  • %Exchange Server Installation%\FrontEnd\HttpProxy\ecp\auth\*

“These remediation steps are effective against known attack patterns but are not guaranteed as complete mitigation for all possible exploitation of these vulnerabilities.  Microsoft Defender will continue to monitor and provide the latest security updates.” concludes Microsoft.

As reported by Bleeping Computer, administrators that would like to scan for web shells associated with these attacks without removing them can use a new PowerShell script released by CERT Latvia.

More information on how to use this script can be found in the CERT-LV project’s GitHub repository.

Microsoft also released a PowerShell script called Test-ProxyLogon.ps1 that can be used to search for indicators of compromise (IOC) related to these attacks in Exchange and OWA log files.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment