Blue Hexagon Blog

Threat Advisory: Microsoft Exchange Server including CVE-2021-24085, 26855, 26857, 26858, and 27065

Microsoft has disclosed new security issues affecting Microsoft Exchange Server versions 2010, 2013, 2016 and 2019. Blue Hexagon Threat Lab has been tracking active exploitation attempts and attacks on on-premise Exchange Servers that have Outlook Web Access accessible from the public Internet. This is a very popular way to provide email services over the web for on-premise Exchange server instances and explains the wide range of customers affected by this attack. 

It is very easy for threat actors to initiate such attacks. Simple searches on Shodan for example surface a few hundred thousand such accessible servers with tens of thousands in the United States, even for just one of the software versions.

Vulnerability – Summary and Analysis

Several CVEs are part of this attack kill chain:

Using a combination of the above vulnerabilities an attacker with stolen admin credentials or via ECP exploit could write a file to any path on the server and execute arbitrary code as SYSTEM on the server.

The vulnerability is that instead of having randomly-generated keys on a per-installation basis all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter.

Attack Kill Chain

  • Attackers are searching for a specific token using a request to /ecp/DDI/DDIService.svc/GetList.
  • If that request is successful, the attacker moves on to writing the desired token to the server’s filesystem with the request /ecp/DDI/DDIService.svc/SetObject. 
  • At that point, since the token is available to be downloaded directly, the attacker sends a download request to /ecp/attacker.png and this activity may be recorded in the IIS logs themselves attached to the IP of the initial attack.
  • Indicators of compromise would include the requests to both /ecp/DDI/DDIService.svc/GetList and /ecp/DDI/DDIService.svc/SetObject, especially if those requests were associated with user agents that appear to be abnormal. 

Example attack code is available at: https://github.com/sourceincite/CVE-2021-24085

Impact

Despite the fact the initial media reports emphasize the US impact our telemetry data shows global impact. We recommend all organizations using the affected Microsoft Exchange Server versions to immediately patch and then continuously monitor activity.

Versions Affected

These vulnerabilities affect Microsoft Exchange Server 2010, 2013, 2016, 2019

How Network Detection and Response (NDR) can help

Blue Hexagon Threat Lab has been proctively tracking suspicious activity to publicly accessible servers and has seen attacks at different stages of the killchain from initial recon and exploitation attempts to webshells and some post-exploitation examples. It is likely that with elevated privileges, endpoint tools could be bypassed or the attacker can use in-memory techniques. 

Blue Hexagon Deep Learning-powered Network Detection and Response solution provides a complete killchain view into the initial recon, attempts to exploit using for example Javascript snippets and finally delivery of web shells followed by command and control and exfiltration. It also allows the defenders to quickly focus on their MS Exchange Servers and all N-S (public-trusted) and E-W (laterally within trusted zones) network activity related to them. 

Below is a summary of observed and potential attacker behavior and how NDR can provide visibility into the various stages of the kill-chain. We will continue to update these as more information about the attacks becomes available.

Attacker BehaviorBlue Hexagon NDR Detection
Using archive files for exfiltration using 7z, WinRARExfiltration Detection and File Visibility and Analysis
Downloading PowerCat from GitHub HTTPS Visibility and Analysis
Using Nishang, PowerCat to establish C2Deep Learning verdicts on C2
Covenant, Cobalt Strike payloads post webshell activationDeep Learning verdicts on payloads and C2
Initial recon and exploitation attemptsUser Agents and URIs and Files in Blue Hexagon Visibility Platform

Indicators of Compromise:

Listed below are the current IOCs that the Blue Hexagon Threat Labs is researching and monitoring as a part of this attack. This section will be updated daily as further research becomes available. [Updated on 03/08/2021, 03/09/2021, 03/11/2021]

Batch Script SHA-256

2f907f2da760bbadc713d710166a68e73895a75cb695b4890c63aea453e838c0

Shellcode SHA-256

d740136b37f894d76a7d4dedbe1ae51ed680c964bcb61e7c4ffe7d0e8b20ea09

Backdoor SHA-256

b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff  
5d803a47d6bb7f68d4e735262bb7253def6aaab03122b05fec468865a1babe32 
ab678bbd30328e20faed53ead07c2f29646eb8042402305264388543319e949c
5a5f4a1c7dbac3e1ac900f43415f378e88a7b591aff730d9715b62d6d782bdde
733b4d5174669caab2bbcc9bfe51606a13346b70af59fccea4f479d1fde7b5d7

WebShell SHA-256

097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2
406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928
2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a
8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc
2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e
a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a
dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d
201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41

HTTP GET Request 

/owa/auth/x.js

HTTP POST Requests 

/rpc/
/ecp/program.js
/ecp/main.css 
/ecp/default.flt
/ecp/{single_character}.js
/ecp/DDI/DDIService.svc/GetList
/owa/auth/Current/
/owa/auth/Current/themes/resources/logon.css  /owa/auth/Current/themes/resources/lgnbotl.gif  /owa/auth/Current/themes/resources/lgnbotl.gif /owa/auth/Current/themes/resources/owafont_ko.css /owa/auth/Current/themes/resources/owafont_ja.css /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf  

Attacker Infrastructure Domains

p.estonine.com, cdn.chatcdn.net, lab.symantecsafe.org, komdsecko.net, soft.mssysinfo.xyz, ns.rtechs.org, mm.portomnail.com, back.rooter.tk, rawfuns.com, yolkish.com, averyspace.net, t.zer9g.com, owa.conf1g.com, box.conf1g.com

Attacker Infrastructure URLs

http://34.90.207.23/ip
http://46.30.188.60/webengine4.dll
http://p.estonine.com/p?e
http://p.estonine.com/low?ipc
http://p.estonine.com/p?smb
http://cdn.chatcdn.net/p?hig210305
http://cdn.chatcdn.net/p?hig190509
http://cdn.chatcdn.net/p?hig190521
http://cdn.chatcdn.net/p?hig200720
http://cdn.chatcdn.net/p?hig210304
http://cdn.chatcdn.net/p?low190617
https://www.licensenest.com/list/news/id
https://www.licensentest.com/list/news/post?newid=<identifying number>

Attacker Infrastructure IPs

86.105.18.116, 89.34.111.11, 182.18.152.105, 103.77.192.219, 104.140.114.110, 104.248.49.97, 104.250.191.110, 108.61.246.56, 149.28.14.163, 157.230.221.198, 161.35.1.207, 161.35.1.225, 165.232.154.116, 167.99.168.251, 167.99.239.29, 185.250.151.72, 192.81.208.169, 203.160.69.66, 211.56.98.146, 5.2.69.14, 5.254.43.18, 80.92.205.81, 91.192.103.43, 104.248.49.97, 13.231.174.2, 161.35.45.41, 194.87.69.35, 45.155.205.225, 45.76.110.29, 45.77.252.175, 112.66.255.71, 139.59.56.239, 161.35.51.41, 161.35.76.1, 188.166.162.201, 77.61.36.169, 161.129.64.124, 46.30.188.60, 139.162.123.108, 194.68.44.19, 172.105.18.72, 77.83.159.15, 185.125.231.175, 185.224.83.137, 107.173.83.123, 201.162.109.184, 68.2.82.62, 182.215.181.200, 45.15.9.45, 141.164.40.193, 172.105.87.139

File names used by the WebShell

Discover.aspx, HttpProxy.aspx Logout.aspx, MultiUp.aspx, Online.aspx, OutlookEN.aspx, OutlookJP.aspx, OutlookRU.aspx, RedirSuiteServerProxy.aspx, Shell.aspx, iisstart.aspx, aspnet_client.aspx, aspnet_iisstart.aspx, aspnet_www.aspx, document.aspx, error.aspx, errorEE.aspx, errorEEE.aspx, errorEW.aspx, errorFF.aspx, healthcheck.aspx, help.aspx, one.aspx, shell.aspx, web.aspx, xx.aspx, aspnet.aspx, aspnet_error.aspx, aspnet_regiis.aspx, caches.aspx, client.aspx, discover.aspx, dukybySSSS.aspx, dvgippna.aspx, err0r.aspx, error.aspx, front.aspx, load.aspx, log_error_9e23efc3.aspx, outlooken.aspx, outlookus.aspx, outlookzh.aspx, r07azcq5.aspx, supp0rt.aspx, xpy07b5a.aspx, zxvt0lpt.aspx, OutlookUS.aspx, OutlookZH.aspx, 8Lw7tAhF9i1pJnRo.aspx, a.aspx, authhead.aspx, bob.aspx, default.aspx, errorPage.aspx, errorPages.aspx, fatal-erro.aspx, log.aspx, logg.aspx, logout.aspx, one1.aspx, shel.aspx, shel2.aspx, shel90.aspx, log.aspx, aspnet_pages.aspx, default1.aspx, errorcheck.aspx, iispage.aspx, s.aspx, Server.aspx, session.aspx, xclkmcfldfi948398430fdjkfdkj.aspx, services.aspx, logon.aspx, TimeoutLogout.aspx, 333.aspx

User-Agents

DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)
ExchangeServicesClient/0.0.0.0
Googlebot/2.1+(+http://www.googlebot.com/bot.html)
Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.169+Safari/537.36
Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36
Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)
Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)
Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html
Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)
Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)
antSword/v2.1
facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)
python-requests/2.19.1
python-requests/2.24.0
python-requests/2.25.1 

Questions? How to Contact Blue Hexagon Threat Experts

If you have any questions or need assistance to determine whether your current security controls can surface the attack and IoCs described above and how to bolster your security stack, please contact Blue Hexagon Security Experts by email at inquiries@bluehexagon.ai  or online at https://bluehexagon.ai/contact/ and let us know how we can help and get in touch with you.

Note: You may like to bookmark this blog post for future reference as we continue to add further research on this attack.

  1. Updated on 03/08/2021 with additional IOCs – Attacker IPs and WebShell SHA-256
  2. Updated on 03/09/2021 with additional IOCs – Attacker IPs
  3. Updated on 03/11/2021 with additional IOCs – Attacker IPs, Domains, URLs, ShellCode SHA-256, Backdoor SHA-256, WebShell SHA-256 and Filenames used by the WebShell.  
  4. Updated on 03/12/2021 with additional IOCs – HTTP GET Request and HTTP POST requests.
  5. Updated on 03/15/2021 with additional IOCs – Attacker Domains, URLs, WebShell SHA-256 and Batch Script SHA-256.
  6. Updated on 03/18/2021 with additional IOCs – Backdoor SHA-256.
  7. Updated on 03/22/2021 with additional IOCs – Backdoor SHA-256 and Filenames used by the WebShell.

Comments are closed.