Last updated 2021-08-23 UTC 18:10

Overview

Threat actors are actively scanning and exploiting vulnerable Microsoft Exchange servers that have not applied security patches released earlier this year.

ProxyShell, the name given to a collection of vulnerabilities for Microsoft Exchange servers, enables an actor to bypass authentication and execute code as a privileged user.

ProxyShell comprises three separate vulnerabilities used as part of a single attack chain:

  • CVE-2021-34473
    Pre-auth path confusion vulnerability to bypass access control
    Patched in KB5001779, released in April
  • CVE-2021-34523
    Privilege elevation vulnerability in the Exchange PowerShell backend
    Patched in KB5001779, released in April
  • CVE-2021-31207
    Post-auth remote code execution via arbitrary file write
    Patched in KB5003435, released in May

The vulnerabilities lie in the Microsoft Client Access Service (CAS) that typically runs on port 443 in IIS (Microsoft’s web server). CAS is commonly exposed to the public internet to enable users to access their email via mobile devices and web browsers. This exposure has led to widespread exploitation by threat actors.

What should you do?

If you are using Microsoft Exchange server:

  1. Ensure you have applied the July 2021 security updates for Microsoft Exchange
  2. (For non Sophos MTR customers) Identify and investigate your exposure windows for adversarial activity
    • Identify and delete web shells and malicious binaries
    • Review process activity for instances of w3wp.exe
    • Identify and remove any persistence established by an actor

Investigating exposure with Sophos XDR

Verifying current Microsoft Exchange version

To determine whether you are running an unpatched version of Exchange or not, the below XDR query for live Windows devices will produce a table of Exchange servers, their current version, and guidance whether they need patching or not.

The version numbers identified in the below query were gathered from this Microsoft article.

SELECT DISTINCT
  ‘Check Exchange Version to confirm Patch. Manually verify build number from MS documentation./’ Note,
  CASE product_version 
    WHEN ‘15.2.922.13   ‘ THEN ‘Exchange 2019 CU10 Jul21 patched against ProxyShell’
    WHEN ‘15.2.922.7’ THEN ‘Exchange 2019 CU10 patched against ProxyShell. Recommend also updating with recent July Patch.’
    WHEN ‘15.2.858.15’ THEN ‘Exchange 2019 CU9 Jul21 patched against ProxyShell’
    WHEN ‘15.2.858.12’ THEN ‘Exchange 2019 CU9 May21 patched against ProxyShell. Recommend also updating with recent July Patch.’
    WHEN ‘15.1.2308.14’ THEN ‘Exchange 2016 CU21 Jul21 patched against ProxyShell’
    WHEN ‘15.1.2308.8’ THEN ‘Exchange 2016 CU21 patched against ProxyShell. Recommend also updating with recent July Patch.’
    WHEN ‘15.1.2242.12’ THEN ‘Exchange 2016 CU21 Jul21 patched against ProxyShell.’
    WHEN ‘15.1.2242.10’ THEN ‘Exchange 2016 CU20 May21  patched against ProxyShell. Recommend also updating with recent July Patch.’
    WHEN ‘15.1.2176.14’ THEN ‘Exchange 2016 CU19 May21  patched against ProxyShell. Recommend also updating with recent July Patch.’
    WHEN ‘15.0.1497.23’ THEN ‘Exchange 2013 CU23 Jul21 patched against ProxyShell.’
    WHEN ‘15.0.1497.18’ THEN ‘Exchange 2013 CU23 May21 patched against ProxyShell. Recommend also updating with recent July Patch.’
    ELSE ‘NOT PATCHED’
  END Result,
  ‘Product_Version: ‘ || Product_version Evidence
FROM file 
WHERE path = ((
  SELECT data FROM registry 
  WHERE key = ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeServerv15Setup’ AND path = ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeServerv15SetupMsiInstallPath’ 
  )||’binMicrosoft.Exchange.RpcClientAccess.Service.exe’)

Identify suspicious web shells and binaries

Adversaries exploiting these vulnerabilities are first dropping web shells on to the compromised device through which they can issue additional commands such as downloading and executing malicious binaries (such as .exe files).

As these vulnerabilities lie in CAS which runs on IIS, adversarial activity will stem from a w3wp.exe process, a worker process for IIS.

The below XDR query for live Windows devices looks at directories where adversaries are dropping web shells which may still be present on disk. Review any unexpected or recently created .aspx files that are present in the output of the query.
E.g.  C:inetpubwwwrootaspnet_client654253568.aspx

SELECT * FROM
file sf
LEFT JOIN hash sh
ON sf.path = sh.path
WHERE
sf.path LIKE 'C:inetpubwwwrootaspnet_clientsystem_web%.aspx'
OR sf.path LIKE 'C:inetpubwwwrootaspnet_client%.aspx'
OR sf.path LIKE 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth%.aspx'
OR sf.path LIKE 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyecpauth%.aspx'
OR sf.path LIKE 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthcurrent%.aspx'
OR sf.path LIKE 'C:ProgramData%.aspx'
OR sf.path LIKE 'C:ProgramData%%.aspx'

With the results, you can pivot from the path column of a suspected web shell by clicking the (…) button and selecting “File access history” to query and identify what processes have interacted with the file and which process created the file. Instances of w3wp.exe should be investigated to reveal further actions the adversary may have taken by pivoting from the sophosPID of the process, clicking the (…) button next to the sophosPID, and selecting the “Process activity history” query.

Alternatively, to identify web shells that have been dropped but may have been deleted, you can interrogate the Sophos process and file journals to look at historic file creations for .aspx files in the last day by using the below XDR query for live Windows devices. To increase your hunt time range you can change ‘now’ and  ‘-1 days’ to values that needs to be investigated.

SELECT
  CAST(datetime(sfj.time, 'unixepoch') AS TEXT) date,
  spj.processName,
  CASE sfj.eventType
    WHEN 0 THEN 'Created'
  END eventType,
  replace(sfj.pathname, rtrim(sfj.pathname, replace(sfj.pathname, '', '')), '') fileName,
  spj.pathname processPath,
  sfj.pathname filePath,
  sfj.sophosPID
FROM sophos_file_journal sfj
LEFT JOIN sophos_process_journal spj
  ON spj.sophosPID = sfj.sophosPID
  AND spj.time = replace(sfj.sophosPID, rtrim(sfj.sophosPID, replace(sfj.sophosPID  , ':', '')), '')/10000000-11644473600
WHERE sfj.time > strftime('%s', 'now', '-1 days')
  AND sfj.eventType IN (0)
  AND sfj.pathname LIKE '%.aspx';

Similarly, the sophosPID of suspect processes, especially w3wp.exe, should be pivoted from and the process activity history reviewed to determine other actions the adversary may have taken.

Actors have commonly been dropping malicious executables, via a web shell, to the System32 directory. Recently created .exe files and other suspicious files at this path should be investigated.
E.g. C:WindowsSystem32createhidetask.exe
E.g. C:WindowsSystem32ApplicationUpdate.exe

The below XDR query for live Windows devices will list all the files currently in the System32 directory.

SELECT * FROM FILE WHERE PATH LIKE 'C:WindowsSystem32%'

Persistence via Scheduled Tasks

Sophos has observed threat actors establishing persistence on compromised devices by creating scheduled tasks to periodically execute a suspicious binary. The below XDR query for live Windows devices can be used to list the current Scheduled Tasks on a device which should be reviewed, and any suspicious tasks investigated.

SELECT * FROM SCHEDULED_TASKS

How Sophos Managed Threat Response (MTR) can help

Threats such as ProxyShell are a great example of the peace of mind you get knowing your organization is backed by an elite team of threat hunters and incident response experts.

When the ProxyShell news broke, the Sophos MTR team immediately began to hunt and investigate in customer environments to determine if any activity was related to the attack. Additionally, they looked to uncover any new artifacts (e.g. IOCs) related to the attack that could provide further protection for all Sophos customers.

The 24/7 nature of Sophos MTR meant that not a single second was wasted as we started hunting for evidence of abuse, ensuring our customers were protected.

Concerned about ProxyShell? Contact Sophos MTR today to ensure that any potential adversarial activity in your environment is identified and neutralized, before any damage is done.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)