Microsoft Offers Exchange Server Webshell Hunting Tips
Microsoft on Thursday published a comprehensive description of the Exchange Server attack methods currently taking advantage of four zero-day flaws in those products, and offered extensive advice.
The good news is that IT pros have responded fairly quickly in applying Microsoft's March 2 security patches to Exchange Server implementations, per Microsoft's estimate.
"As of today [March 25], we have seen a significant decrease in the number of still-vulnerable servers -- more than 92% of known worldwide Exchange IPs are now patched or mitigated," the announcement indicated.
The bad news is that Microsoft's March security patches only ward off initial attacks. They don't protect systems that have already been compromised. Security researchers have found Webshells dropped on compromised systems that went undetected by anti-malware software, so it's necessary for IT pros to check for indicators of compromise, even if their Exchange Servers have been patched.
The other problem raised in Microsoft's announcement is that attackers may have used the Exchange Server vulnerabilities to establish avenues for later attacks.
"By utilizing 'malwareless' persistence mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response efforts that might focus exclusively on web shells, AV scans, and patching," the announcement explained.
Hafnium and Ransomware Attacks
These Exchange Server attacks initially were attributed to a "Hafnium" nation-state group back when Microsoft released patches for the vulnerabilities on March 2, with espionage being the presumed motive. However, some attacks have dropped cryptocurrency miners or ransomware on systems, with financial gain aims.
Microsoft's announcement characterized the current Exchange Server attacks that it's seeing as coming from "multiple threat actors."
DoejoCrypt was the first ransomware that Microsoft detected taking advantage of the Exchange Server vulnerabilities. DoejoCrypt was a new form of ransomware, but attackers also deployed existing Pydomer ransomware on Exchange Server systems. Pydomer was notorious for earlier exploiting Pulse Secure VPN vulnerabilities.
Microsoft also detected Lemon Duck botnet malware getting installed for cryptocurrency mining purposes. Sometimes, as in the case of the Lemon Duck attackers, other attackers were removed first before installing the cryptocurrency mining software.
So far, the ransomware attacks using the Exchange Server vulnerabilities haven't been extensive, Microsoft noted:
Although the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation guidance that we have collected and continue to update here: https://aka.ms/ExchangeVulns.
Microsoft's Thursday announcement included lots of details about what to look for when investigating possible Exchange Server breaches, describing the Webshells used by attackers and other indicators of compromise.
Here are the steps Microsoft recommends for organizations running Exchange Server:
- Investigate exposed Exchange servers for compromise, regardless of their current patch status.
- Look for web shells via our guidance and run a full AV scan using the Exchange On-Premises Mitigation Tool.
- Investigate Local Users and Groups, even non-administrative users for changes, and ensure all users require a password for sign-in. New user account creations (represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious user creation.
- Reset and randomize local administrator passwords with a tool like LAPS if you are not already doing so.
- Look for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) configuration of the system that might have been configured by the attacker to allow persistence.
- Look for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with exe in an attempt to hide their tracks.
- Look for new persistence mechanisms such as unexpected services, scheduled tasks, and startup items.
- Look for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access clients.
- Check mailbox-level email forwarding settings (both ForwardingAddress and ForwardingSMTPAddress attributes), check mailbox inbox rules (which might be used to forward email externally), and check Exchange Transport rules that you might not recognize.
The advice comes from the Microsoft 365 Defender threat intelligence team, so presumably organizations would need an investigative tool to do the forensics, such as Microsoft Defender for Endpoint service or Azure Sentinel, which is Microsoft's cloud-based security information and event management solution.
Azure Sentinel users now have a new guide on how to use that solution to hunt for Webshells, which Microsoft published on Thursday.
Microsoft did add Hafnium attack detections to its Microsoft Defender Antivirus security solution, which will add automatic mitigations for the principal Hafnium attack method as a temporary measure. It also released its Exchange On-Premises Mitigation Tool for checking and repairing systems, among other tools organizations can use.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.