Last updated 2021-08-23 UTC 18:10
Overview
Threat actors are actively scanning and exploiting vulnerable Microsoft Exchange servers that have not applied security patches released earlier this year.
ProxyShell, the name given to a collection of vulnerabilities for Microsoft Exchange servers, enables an actor to bypass authentication and execute code as a privileged user.
ProxyShell comprises three separate vulnerabilities used as part of a single attack chain:
- CVE-2021-34473
Pre-auth path confusion vulnerability to bypass access control
Patched in KB5001779, released in April - CVE-2021-34523
Privilege elevation vulnerability in the Exchange PowerShell backend
Patched in KB5001779, released in April - CVE-2021-31207
Post-auth remote code execution via arbitrary file write
Patched in KB5003435, released in May
The vulnerabilities lie in the Microsoft Client Access Service (CAS) that typically runs on port 443 in IIS (Microsoft’s web server). CAS is commonly exposed to the public internet to enable users to access their email via mobile devices and web browsers. This exposure has led to widespread exploitation by threat actors.
What should you do?
If you are using Microsoft Exchange server:
- Ensure you have applied the July 2021 security updates for Microsoft Exchange
- (For non Sophos MTR customers) Identify and investigate your exposure windows for adversarial activity
- Identify and delete web shells and malicious binaries
- Review process activity for instances of
w3wp.exe
- Identify and remove any persistence established by an actor
Investigating exposure with Sophos XDR
Verifying current Microsoft Exchange version
To determine whether you are running an unpatched version of Exchange or not, the below XDR query for live Windows devices will produce a table of Exchange servers, their current version, and guidance whether they need patching or not.
The version numbers identified in the below query were gathered from this Microsoft article.
SELECT DISTINCT ‘Check Exchange Version to confirm Patch. Manually verify build number from MS documentation./’ Note, CASE product_version WHEN ‘15.2.922.13 ‘ THEN ‘Exchange 2019 CU10 Jul21 patched against ProxyShell’ WHEN ‘15.2.922.7’ THEN ‘Exchange 2019 CU10 patched against ProxyShell. Recommend also updating with recent July Patch.’ WHEN ‘15.2.858.15’ THEN ‘Exchange 2019 CU9 Jul21 patched against ProxyShell’ WHEN ‘15.2.858.12’ THEN ‘Exchange 2019 CU9 May21 patched against ProxyShell. Recommend also updating with recent July Patch.’ WHEN ‘15.1.2308.14’ THEN ‘Exchange 2016 CU21 Jul21 patched against ProxyShell’ WHEN ‘15.1.2308.8’ THEN ‘Exchange 2016 CU21 patched against ProxyShell. Recommend also updating with recent July Patch.’ WHEN ‘15.1.2242.12’ THEN ‘Exchange 2016 CU21 Jul21 patched against ProxyShell.’ WHEN ‘15.1.2242.10’ THEN ‘Exchange 2016 CU20 May21 patched against ProxyShell. Recommend also updating with recent July Patch.’ WHEN ‘15.1.2176.14’ THEN ‘Exchange 2016 CU19 May21 patched against ProxyShell. Recommend also updating with recent July Patch.’ WHEN ‘15.0.1497.23’ THEN ‘Exchange 2013 CU23 Jul21 patched against ProxyShell.’ WHEN ‘15.0.1497.18’ THEN ‘Exchange 2013 CU23 May21 patched against ProxyShell. Recommend also updating with recent July Patch.’ ELSE ‘NOT PATCHED’ END Result, ‘Product_Version: ‘ || Product_version Evidence FROM file WHERE path = (( SELECT data FROM registry WHERE key = ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeServerv15Setup’ AND path = ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeServerv15SetupMsiInstallPath’ )||’binMicrosoft.Exchange.RpcClientAccess.Service.exe’)
Identify suspicious web shells and binaries
Adversaries exploiting these vulnerabilities are first dropping web shells on to the compromised device through which they can issue additional commands such as downloading and executing malicious binaries (such as .exe
files).
As these vulnerabilities lie in CAS which runs on IIS, adversarial activity will stem from a w3wp.exe process, a worker process for IIS.
The below XDR query for live Windows devices looks at directories where adversaries are dropping web shells which may still be present on disk. Review any unexpected or recently created .aspx
files that are present in the output of the query.
E.g. C:inetpubwwwrootaspnet_client654253568.aspx
SELECT * FROM file sf LEFT JOIN hash sh ON sf.path = sh.path WHERE sf.path LIKE 'C:inetpubwwwrootaspnet_clientsystem_web%.aspx' OR sf.path LIKE 'C:inetpubwwwrootaspnet_client%.aspx' OR sf.path LIKE 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth%.aspx' OR sf.path LIKE 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyecpauth%.aspx' OR sf.path LIKE 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthcurrent%.aspx' OR sf.path LIKE 'C:ProgramData%.aspx' OR sf.path LIKE 'C:ProgramData%%.aspx'
With the results, you can pivot from the path column of a suspected web shell by clicking the (…)
button and selecting “File access history” to query and identify what processes have interacted with the file and which process created the file. Instances of w3wp.exe
should be investigated to reveal further actions the adversary may have taken by pivoting from the sophosPID of the process, clicking the (…)
button next to the sophosPID, and selecting the “Process activity history” query.
Alternatively, to identify web shells that have been dropped but may have been deleted, you can interrogate the Sophos process and file journals to look at historic file creations for .aspx
files in the last day by using the below XDR query for live Windows devices. To increase your hunt time range you can change ‘now’ and ‘-1 days’ to values that needs to be investigated.
SELECT CAST(datetime(sfj.time, 'unixepoch') AS TEXT) date, spj.processName, CASE sfj.eventType WHEN 0 THEN 'Created' END eventType, replace(sfj.pathname, rtrim(sfj.pathname, replace(sfj.pathname, '', '')), '') fileName, spj.pathname processPath, sfj.pathname filePath, sfj.sophosPID FROM sophos_file_journal sfj LEFT JOIN sophos_process_journal spj ON spj.sophosPID = sfj.sophosPID AND spj.time = replace(sfj.sophosPID, rtrim(sfj.sophosPID, replace(sfj.sophosPID , ':', '')), '')/10000000-11644473600 WHERE sfj.time > strftime('%s', 'now', '-1 days') AND sfj.eventType IN (0) AND sfj.pathname LIKE '%.aspx';
Similarly, the sophosPID of suspect processes, especially w3wp.exe, should be pivoted from and the process activity history reviewed to determine other actions the adversary may have taken.
Actors have commonly been dropping malicious executables, via a web shell, to the System32 directory. Recently created .exe files and other suspicious files at this path should be investigated.
E.g. C:WindowsSystem32createhidetask.exe
E.g. C:WindowsSystem32ApplicationUpdate.exe
The below XDR query for live Windows devices will list all the files currently in the System32 directory.
SELECT * FROM FILE WHERE PATH LIKE 'C:WindowsSystem32%'
Persistence via Scheduled Tasks
Sophos has observed threat actors establishing persistence on compromised devices by creating scheduled tasks to periodically execute a suspicious binary. The below XDR query for live Windows devices can be used to list the current Scheduled Tasks on a device which should be reviewed, and any suspicious tasks investigated.
SELECT * FROM SCHEDULED_TASKS
How Sophos Managed Threat Response (MTR) can help
Threats such as ProxyShell are a great example of the peace of mind you get knowing your organization is backed by an elite team of threat hunters and incident response experts.
When the ProxyShell news broke, the Sophos MTR team immediately began to hunt and investigate in customer environments to determine if any activity was related to the attack. Additionally, they looked to uncover any new artifacts (e.g. IOCs) related to the attack that could provide further protection for all Sophos customers.
The 24/7 nature of Sophos MTR meant that not a single second was wasted as we started hunting for evidence of abuse, ensuring our customers were protected.
Concerned about ProxyShell? Contact Sophos MTR today to ensure that any potential adversarial activity in your environment is identified and neutralized, before any damage is done.