Microsoft has disclosed new security issues affecting Microsoft Exchange Server versions 2010, 2013, 2016 and 2019. Blue Hexagon Threat Lab has been tracking active exploitation attempts and attacks on on-premise Exchange Servers that have Outlook Web Access accessible from the public Internet. This is a very popular way to provide email services over the web for on-premise Exchange server instances and explains the wide range of customers affected by this attack.
It is very easy for threat actors to initiate such attacks. Simple searches on Shodan for example surface a few hundred thousand such accessible servers with tens of thousands in the United States, even for just one of the software versions.
Vulnerability – Summary and Analysis
Several CVEs are part of this attack kill chain:
- CVE-2021-24085 enables the attacker to escalate their privilege on the Exchange Server using Cross Site Request Forge.
- CVE-2021-26855 exploits the Exchange Control Panel (ECP) and allows an unauthenticated attacker to send arbitrary HTTP requests.
- CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.
Using a combination of the above vulnerabilities an attacker with stolen admin credentials or via ECP exploit could write a file to any path on the server and execute arbitrary code as SYSTEM on the server.
The vulnerability is that instead of having randomly-generated keys on a per-installation basis all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter.
Attack Kill Chain
- Attackers are searching for a specific token using a request to /ecp/DDI/DDIService.svc/GetList.
- If that request is successful, the attacker moves on to writing the desired token to the server’s filesystem with the request /ecp/DDI/DDIService.svc/SetObject.
- At that point, since the token is available to be downloaded directly, the attacker sends a download request to /ecp/attacker.png and this activity may be recorded in the IIS logs themselves attached to the IP of the initial attack.
- Indicators of compromise would include the requests to both /ecp/DDI/DDIService.svc/GetList and /ecp/DDI/DDIService.svc/SetObject, especially if those requests were associated with user agents that appear to be abnormal.
Example attack code is available at: https://github.com/sourceincite/CVE-2021-24085
Impact
Despite the fact the initial media reports emphasize the US impact our telemetry data shows global impact. We recommend all organizations using the affected Microsoft Exchange Server versions to immediately patch and then continuously monitor activity.
Versions Affected
These vulnerabilities affect Microsoft Exchange Server 2010, 2013, 2016, 2019
How Network Detection and Response (NDR) can help
Blue Hexagon Threat Lab has been proctively tracking suspicious activity to publicly accessible servers and has seen attacks at different stages of the killchain from initial recon and exploitation attempts to webshells and some post-exploitation examples. It is likely that with elevated privileges, endpoint tools could be bypassed or the attacker can use in-memory techniques.
Blue Hexagon Deep Learning-powered Network Detection and Response solution provides a complete killchain view into the initial recon, attempts to exploit using for example Javascript snippets and finally delivery of web shells followed by command and control and exfiltration. It also allows the defenders to quickly focus on their MS Exchange Servers and all N-S (public-trusted) and E-W (laterally within trusted zones) network activity related to them.
Below is a summary of observed and potential attacker behavior and how NDR can provide visibility into the various stages of the kill-chain. We will continue to update these as more information about the attacks becomes available.
| Attacker Behavior | Blue Hexagon NDR Detection |
| Using archive files for exfiltration using 7z, WinRAR | Exfiltration Detection and File Visibility and Analysis |
| Downloading PowerCat from GitHub | HTTPS Visibility and Analysis |
| Using Nishang, PowerCat to establish C2 | Deep Learning verdicts on C2 |
| Covenant, Cobalt Strike payloads post webshell activation | Deep Learning verdicts on payloads and C2 |
| Initial recon and exploitation attempts | User Agents and URIs and Files in Blue Hexagon Visibility Platform |
Indicators of Compromise:
Listed below are the current IOCs that the Blue Hexagon Threat Labs is researching and monitoring as a part of this attack. This section will be updated daily as further research becomes available. [Updated on 03/08/2021, 03/09/2021, 03/11/2021]
Batch Script SHA-256
2f907f2da760bbadc713d710166a68e73895a75cb695b4890c63aea453e838c0
Shellcode SHA-256
d740136b37f894d76a7d4dedbe1ae51ed680c964bcb61e7c4ffe7d0e8b20ea09
Backdoor SHA-256
b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff 5d803a47d6bb7f68d4e735262bb7253def6aaab03122b05fec468865a1babe32 ab678bbd30328e20faed53ead07c2f29646eb8042402305264388543319e949c 5a5f4a1c7dbac3e1ac900f43415f378e88a7b591aff730d9715b62d6d782bdde 733b4d5174669caab2bbcc9bfe51606a13346b70af59fccea4f479d1fde7b5d7
WebShell SHA-256
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2 406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928 2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d 201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41
HTTP GET Request
/owa/auth/x.js
HTTP POST Requests
/rpc/
/ecp/program.js
/ecp/main.css
/ecp/default.flt
/ecp/{single_character}.js
/ecp/DDI/DDIService.svc/GetList
/owa/auth/Current/
/owa/auth/Current/themes/resources/logon.css /owa/auth/Current/themes/resources/lgnbotl.gif /owa/auth/Current/themes/resources/lgnbotl.gif /owa/auth/Current/themes/resources/owafont_ko.css /owa/auth/Current/themes/resources/owafont_ja.css /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
Attacker Infrastructure Domains
p.estonine.com, cdn.chatcdn.net, lab.symantecsafe.org, komdsecko.net, soft.mssysinfo.xyz, ns.rtechs.org, mm.portomnail.com, back.rooter.tk, rawfuns.com, yolkish.com, averyspace.net, t.zer9g.com, owa.conf1g.com, box.conf1g.com
Attacker Infrastructure URLs
http://34.90.207.23/ip http://46.30.188.60/webengine4.dll http://p.estonine.com/p?e http://p.estonine.com/low?ipc http://p.estonine.com/p?smb http://cdn.chatcdn.net/p?hig210305 http://cdn.chatcdn.net/p?hig190509 http://cdn.chatcdn.net/p?hig190521 http://cdn.chatcdn.net/p?hig200720 http://cdn.chatcdn.net/p?hig210304 http://cdn.chatcdn.net/p?low190617 https://www.licensenest.com/list/news/id https://www.licensentest.com/list/news/post?newid=<identifying number>
Attacker Infrastructure IPs
86.105.18.116, 89.34.111.11, 182.18.152.105, 103.77.192.219, 104.140.114.110, 104.248.49.97, 104.250.191.110, 108.61.246.56, 149.28.14.163, 157.230.221.198, 161.35.1.207, 161.35.1.225, 165.232.154.116, 167.99.168.251, 167.99.239.29, 185.250.151.72, 192.81.208.169, 203.160.69.66, 211.56.98.146, 5.2.69.14, 5.254.43.18, 80.92.205.81, 91.192.103.43, 104.248.49.97, 13.231.174.2, 161.35.45.41, 194.87.69.35, 45.155.205.225, 45.76.110.29, 45.77.252.175, 112.66.255.71, 139.59.56.239, 161.35.51.41, 161.35.76.1, 188.166.162.201, 77.61.36.169, 161.129.64.124, 46.30.188.60, 139.162.123.108, 194.68.44.19, 172.105.18.72, 77.83.159.15, 185.125.231.175, 185.224.83.137, 107.173.83.123, 201.162.109.184, 68.2.82.62, 182.215.181.200, 45.15.9.45, 141.164.40.193, 172.105.87.139
File names used by the WebShell
Discover.aspx, HttpProxy.aspx Logout.aspx, MultiUp.aspx, Online.aspx, OutlookEN.aspx, OutlookJP.aspx, OutlookRU.aspx, RedirSuiteServerProxy.aspx, Shell.aspx, iisstart.aspx, aspnet_client.aspx, aspnet_iisstart.aspx, aspnet_www.aspx, document.aspx, error.aspx, errorEE.aspx, errorEEE.aspx, errorEW.aspx, errorFF.aspx, healthcheck.aspx, help.aspx, one.aspx, shell.aspx, web.aspx, xx.aspx, aspnet.aspx, aspnet_error.aspx, aspnet_regiis.aspx, caches.aspx, client.aspx, discover.aspx, dukybySSSS.aspx, dvgippna.aspx, err0r.aspx, error.aspx, front.aspx, load.aspx, log_error_9e23efc3.aspx, outlooken.aspx, outlookus.aspx, outlookzh.aspx, r07azcq5.aspx, supp0rt.aspx, xpy07b5a.aspx, zxvt0lpt.aspx, OutlookUS.aspx, OutlookZH.aspx, 8Lw7tAhF9i1pJnRo.aspx, a.aspx, authhead.aspx, bob.aspx, default.aspx, errorPage.aspx, errorPages.aspx, fatal-erro.aspx, log.aspx, logg.aspx, logout.aspx, one1.aspx, shel.aspx, shel2.aspx, shel90.aspx, log.aspx, aspnet_pages.aspx, default1.aspx, errorcheck.aspx, iispage.aspx, s.aspx, Server.aspx, session.aspx, xclkmcfldfi948398430fdjkfdkj.aspx, services.aspx, logon.aspx, TimeoutLogout.aspx, 333.aspx
User-Agents
DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html) ExchangeServicesClient/0.0.0.0 Googlebot/2.1+(+http://www.googlebot.com/bot.html) Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.169+Safari/537.36 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36 Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html) Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm) Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails) Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp) Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots) antSword/v2.1 facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php) python-requests/2.19.1 python-requests/2.24.0 python-requests/2.25.1
Questions? How to Contact Blue Hexagon Threat Experts
If you have any questions or need assistance to determine whether your current security controls can surface the attack and IoCs described above and how to bolster your security stack, please contact Blue Hexagon Security Experts by email at inquiries@bluehexagon.ai or online at https://bluehexagon.ai/contact/ and let us know how we can help and get in touch with you.
Note: You may like to bookmark this blog post for future reference as we continue to add further research on this attack.
- Updated on 03/08/2021 with additional IOCs – Attacker IPs and WebShell SHA-256
- Updated on 03/09/2021 with additional IOCs – Attacker IPs
- Updated on 03/11/2021 with additional IOCs – Attacker IPs, Domains, URLs, ShellCode SHA-256, Backdoor SHA-256, WebShell SHA-256 and Filenames used by the WebShell.
- Updated on 03/12/2021 with additional IOCs – HTTP GET Request and HTTP POST requests.
- Updated on 03/15/2021 with additional IOCs – Attacker Domains, URLs, WebShell SHA-256 and Batch Script SHA-256.
- Updated on 03/18/2021 with additional IOCs – Backdoor SHA-256.
- Updated on 03/22/2021 with additional IOCs – Backdoor SHA-256 and Filenames used by the WebShell.