Last updated 2021-08-23 UTC 18:10
Threat actors are actively scanning and exploiting vulnerable Microsoft Exchange servers that have not applied security patches released earlier this year.
ProxyShell, the name given to a collection of vulnerabilities for Microsoft Exchange servers, enables an actor to bypass authentication and execute code as a privileged user.
ProxyShell comprises three separate vulnerabilities used as part of a single attack chain:
The vulnerabilities lie in the Microsoft Client Access Service (CAS) that typically runs on port 443 in IIS (Microsoft’s web server). CAS is commonly exposed to the public internet to enable users to access their email via mobile devices and web browsers. This exposure has led to widespread exploitation by threat actors.
If you are using Microsoft Exchange server:
w3wp.exeTo determine whether you are running an unpatched version of Exchange or not, the below XDR query for live Windows devices will produce a table of Exchange servers, their current version, and guidance whether they need patching or not.
The version numbers identified in the below query were gathered from this Microsoft article.
SELECT DISTINCT ‘Check Exchange Version to confirm Patch. Manually verify build number from MS documentation./’ Note, CASE product_version WHEN ‘15.2.922.13 ‘ THEN ‘Exchange 2019 CU10 Jul21 patched against ProxyShell’ WHEN ‘15.2.922.7’ THEN ‘Exchange 2019 CU10 patched against ProxyShell. Recommend also updating with recent July Patch.’ WHEN ‘15.2.858.15’ THEN ‘Exchange 2019 CU9 Jul21 patched against ProxyShell’ WHEN ‘15.2.858.12’ THEN ‘Exchange 2019 CU9 May21 patched against ProxyShell. Recommend also updating with recent July Patch.’ WHEN ‘15.1.2308.14’ THEN ‘Exchange 2016 CU21 Jul21 patched against ProxyShell’ WHEN ‘15.1.2308.8’ THEN ‘Exchange 2016 CU21 patched against ProxyShell. Recommend also updating with recent July Patch.’ WHEN ‘15.1.2242.12’ THEN ‘Exchange 2016 CU21 Jul21 patched against ProxyShell.’ WHEN ‘15.1.2242.10’ THEN ‘Exchange 2016 CU20 May21 patched against ProxyShell. Recommend also updating with recent July Patch.’ WHEN ‘15.1.2176.14’ THEN ‘Exchange 2016 CU19 May21 patched against ProxyShell. Recommend also updating with recent July Patch.’ WHEN ‘15.0.1497.23’ THEN ‘Exchange 2013 CU23 Jul21 patched against ProxyShell.’ WHEN ‘15.0.1497.18’ THEN ‘Exchange 2013 CU23 May21 patched against ProxyShell. Recommend also updating with recent July Patch.’ ELSE ‘NOT PATCHED’ END Result, ‘Product_Version: ‘ || Product_version Evidence FROM file WHERE path = (( SELECT data FROM registry WHERE key = ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeServerv15Setup’ AND path = ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeServerv15SetupMsiInstallPath’ )||’binMicrosoft.Exchange.RpcClientAccess.Service.exe’)
Adversaries exploiting these vulnerabilities are first dropping web shells on to the compromised device through which they can issue additional commands such as downloading and executing malicious binaries (such as .exe files).
As these vulnerabilities lie in CAS which runs on IIS, adversarial activity will stem from a w3wp.exe process, a worker process for IIS.
The below XDR query for live Windows devices looks at directories where adversaries are dropping web shells which may still be present on disk. Review any unexpected or recently created .aspx files that are present in the output of the query.
E.g. C:inetpubwwwrootaspnet_client654253568.aspx
SELECT * FROM file sf LEFT JOIN hash sh ON sf.path = sh.path WHERE sf.path LIKE 'C:inetpubwwwrootaspnet_clientsystem_web%.aspx' OR sf.path LIKE 'C:inetpubwwwrootaspnet_client%.aspx' OR sf.path LIKE 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth%.aspx' OR sf.path LIKE 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyecpauth%.aspx' OR sf.path LIKE 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthcurrent%.aspx' OR sf.path LIKE 'C:ProgramData%.aspx' OR sf.path LIKE 'C:ProgramData%%.aspx'
With the results, you can pivot from the path column of a suspected web shell by clicking the (…) button and selecting “File access history” to query and identify what processes have interacted with the file and which process created the file. Instances of w3wp.exe should be investigated to reveal further actions the adversary may have taken by pivoting from the sophosPID of the process, clicking the (…) button next to the sophosPID, and selecting the “Process activity history” query.
Alternatively, to identify web shells that have been dropped but may have been deleted, you can interrogate the Sophos process and file journals to look at historic file creations for .aspx files in the last day by using the below XDR query for live Windows devices. To increase your hunt time range you can change ‘now’ and ‘-1 days’ to values that needs to be investigated.
SELECT
CAST(datetime(sfj.time, 'unixepoch') AS TEXT) date,
spj.processName,
CASE sfj.eventType
WHEN 0 THEN 'Created'
END eventType,
replace(sfj.pathname, rtrim(sfj.pathname, replace(sfj.pathname, '', '')), '') fileName,
spj.pathname processPath,
sfj.pathname filePath,
sfj.sophosPID
FROM sophos_file_journal sfj
LEFT JOIN sophos_process_journal spj
ON spj.sophosPID = sfj.sophosPID
AND spj.time = replace(sfj.sophosPID, rtrim(sfj.sophosPID, replace(sfj.sophosPID , ':', '')), '')/10000000-11644473600
WHERE sfj.time > strftime('%s', 'now', '-1 days')
AND sfj.eventType IN (0)
AND sfj.pathname LIKE '%.aspx';
Similarly, the sophosPID of suspect processes, especially w3wp.exe, should be pivoted from and the process activity history reviewed to determine other actions the adversary may have taken.
Actors have commonly been dropping malicious executables, via a web shell, to the System32 directory. Recently created .exe files and other suspicious files at this path should be investigated.
E.g. C:WindowsSystem32createhidetask.exe
E.g. C:WindowsSystem32ApplicationUpdate.exe
The below XDR query for live Windows devices will list all the files currently in the System32 directory.
SELECT * FROM FILE WHERE PATH LIKE 'C:WindowsSystem32%'
Sophos has observed threat actors establishing persistence on compromised devices by creating scheduled tasks to periodically execute a suspicious binary. The below XDR query for live Windows devices can be used to list the current Scheduled Tasks on a device which should be reviewed, and any suspicious tasks investigated.
SELECT * FROM SCHEDULED_TASKS
Threats such as ProxyShell are a great example of the peace of mind you get knowing your organization is backed by an elite team of threat hunters and incident response experts.
When the ProxyShell news broke, the Sophos MTR team immediately began to hunt and investigate in customer environments to determine if any activity was related to the attack. Additionally, they looked to uncover any new artifacts (e.g. IOCs) related to the attack that could provide further protection for all Sophos customers.
The 24/7 nature of Sophos MTR meant that not a single second was wasted as we started hunting for evidence of abuse, ensuring our customers were protected.
Concerned about ProxyShell? Contact Sophos MTR today to ensure that any potential adversarial activity in your environment is identified and neutralized, before any damage is done.
4909 Murphy Canyon Road Suite, 500
San Diego, CA 92123
Store
Company
Support
Newsletter
